b'   February 2, 2005\n\n\n\n\nAcquisition\nImplementation of Interoperability\nand Information Assurance Policies\nfor Acquisition of Air Force Systems\n(D-2005-034)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality               Integrity       Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at http://www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit, Audit Followup and Technical\n  Support at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact Audit Followup and\n  Technical Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932.\n  Ideas and requests can also be mailed to:\n\n                   ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                   Inspector General of the Department of Defense\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nC4I                   Command, Control, Communications, Computers, and Intelligence\nDITSCAP               DoD Information Technology Security Certification Accreditation\n                         Program\nGIG                   Global Information Grid\nIA                    Information Assurance\nKPP                   Key Performance Parameter\nNS                    National Security\nORD                   Operational Requirements Document\nSSAA                  System Security Authorization Agreement\nTEMP                  Test and Evaluation Master Plan\n\x0c\x0c          Office of the Inspector General of the Department of Defense\nReport No. D-2005-034                                                   February 2, 2005\n   (Project No. D2002AE-0188)\n\n     Implementation of Interoperability and Information Assurance\n            Policies for Acquisition of Air Force Systems\n\n                                Executive Summary\n\nWho Should Read This Report and Why? Civil servants and military managers who\nare responsible for interoperability and information assurance requirements of Air Force\nacquisition programs should read this report. This report addresses the importance of\nadhering to DoD and Air Force interoperability and information assurance policies to\nexchange secure information with other DoD and allied systems.\n\nBackground. This report is the fourth in a series of reports on the implementation of\ninteroperability and information assurance policies for the acquisition of DoD systems.\nThis report addresses the implementation of those policies within the Air Force; the\nfirst report addressed the implementation of those policies within the Office of the\nSecretary of Defense and the Defense agencies; the second report addressed the\nimplementation of those policies within the Army, and the third report addressed the\nimplementation of those policies within the Navy.\n\nResults. The Air Force made progress updating and certifying its capabilities documents\nto incorporate interoperability requirements. However, Air Force system program offices\nwere not always preparing required command, control, communications, computers, and\nintelligence support plans (renamed information support plans) or obtaining Joint Staff\nsupportability certifications for programs with interoperability requirements. As a result,\nmilestone decision authorities do not have adequate information to determine whether a\nsystem should proceed further through the acquisition process. The Air Force Chief\nInformation Officer, in collaboration with the Air Force Deputy Chief of Staff for\nWarfighting Integration, needs to issue policy to require program managers to prepare\ninformation support plans and obtain supportability certifications before program\ndecision reviews and before fielding the system (finding A).\n\nAfter DoD issued guidance on net-ready key performance parameters, the Air Force\nmade progress identifying testable information assurance requirements in operational\nrequirements documents for Air Force programs with interoperability and supportability\nrequirements. However, Air Force system program offices did not always prepare\nrequired system security authorization agreements for systems with information\ntechnology requirements. Without those agreements, Air Force operational testers do not\nhave information needed to assess compliance with security requirements affecting\nsystem confidentiality, integrity, availability, and accountability. The Air Force Chief\nInformation Officer needs to verify that system program offices prepare system security\nauthorization agreements for systems with information technology requirements\n(finding B).\n\nThe Air Force had not populated and maintained its portion of the Global Information\nGrid asset inventory for acquisition programs containing information technology\n\x0crequirements. As a result, DoD cannot ensure that its acquisition programs have the most\neffective, efficient, and secure information-handling capabilities available. The Inspector\nGeneral of the Department of Defense issued a report (Report No. D-2005-033,\n\xe2\x80\x9cImplementation of the Interoperability and Information Assurance Policies for\nAcquisition of Navy Systems,\xe2\x80\x9d February 2, 2005) on the Navy\xe2\x80\x99s implementation of\ninteroperability and information assurance policies in acquiring DoD systems. The report\nincludes a recommendation on DoD guidance in populating and maintaining the GIG\nasset inventory and includes a recommendation addressing the issue (finding C). See the\nFindings section of the report for the detailed recommendations.\n\nManagement Comments. We received comments from the Director, Joint Staff and\nfrom the Air Force Chief Information Officer, who also responded for the Air Force\nDeputy Chief of Staff for Warfighting Integration. The Director agreed with the\nrecommendations. The Chief Information Officer concurred with the recommendations\nand made suggestions to enhance the completeness and accuracy of this report. See the\nFinding section of this report for a discussion of the management comments and the\nManagement Comments section of the report for the complete text of the comments.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                                              i\n\nBackground                                                                     1\n\nObjectives                                                                     3\n\nFindings\n     A. Implementing Interoperability Policies                                 4\n     B. Testing Air Force Acquisition Programs for Information Assurance      10\n     C. Populating and Maintaining the Global Information Grid\xe2\x80\x99s Asset\n          Inventory                                                           17\n\nAppendixes\n     A. Scope and Methodology                                                 22\n     B. Prior Coverage                                                        24\n     C. Glossary                                                              25\n     D. Global Information Grid                                               31\n     E. Results of the Air Force Interoperability and Information Assurance\n            Survey                                                            33\n     F. Air Force Programs Surveyed                                           40\n     G. Audit Response to Air Force Comments on the Report                    41\n     H. Report Distribution                                                   44\n\nManagement Comments\n     Joint Staff                                                              47\n     Department of the Air Force                                              48\n\x0cBackground\n           This report is the fourth in a series of reports on the implementation of\n           interoperability and information assurance (IA) policies within DoD. This report\n           addresses the Air Force\xe2\x80\x99s implementation of those policies in the Joint\n           Capabilities Integration and Development System,1 inclusion of adequate\n           interoperability key performance parameters (KPPs)2 in requirements documents,\n           and the interoperability certification process for Air Force acquisition programs.\n           Appendix C provides a glossary of technical terms used in this report.\n\n           Chairman of the Joint Chiefs of Staff Testimony on the President\xe2\x80\x99s Proposed\n           Defense Program for FY 2005. On February 4, 2004, General Pace, the Vice\n           Chairman of the Joint Chiefs of Staff, testified before the U.S. House of\n           Representatives Committee on Armed Services. General Pace described how\n           information sharing is critical for planning and executing military operations. He\n           testified that:\n                         Since this is a global war requiring an international effort, we must also\n                         improve coalition command and control capabilities, and consolidate\n                         the numerous networks that exist today. These disparate networks\n                         hinder our ability to plan in a collaborative environment and exercise\n                         timely and effective command and control with our multinational\n                         partners.\n\n                         We must also review policies and implement technology that safeguard\n                         our vital sensitive information while ensuring critical operational\n                         information is shared with all those who fight beside us. JFCOM [Joint\n                         Forces Command] has been tasked to take the lead in identifying\n                         specific multinational information sharing requirements and\n                         recommending policy changes. Our goal is to establish a multinational\n                         family of systems with common standards as part of the Global\n                         Information Grid enterprise services. I view this as a top priority and\n                         ask for Congressional support \xe2\x8e\xaf information sharing with our allies is\n                         critical to winning the War on Terrorism.\n\n           Top 10 Priorities. The Secretary of Defense issued a list of the top 10 DoD\n           priorities. One priority is to strengthen joint warfighting capabilities, which was\n           also one of the Secretary\xe2\x80\x99s priorities for FY 2004. The intent of this priority is to\n           improve joint concepts of operation through integrating air, land, and\n\n\n\n1\n    Chairman of the Joint Chiefs of Staff Instruction 3170.01C, \xe2\x80\x9cJoint Capabilities Integration and\n    Development System,\xe2\x80\x9d June 24, 2003, replaced the interoperability requirements generation process with\n    the Joint Capabilities Integration and Development System. Subsequently, Chairman of the Joint Chiefs\n    of Staff Instruction 3170.01D, \xe2\x80\x9cJoint Capabilities Integration and Development System,\xe2\x80\x9d March 12, 2004,\n    superseded Chairman of the Joint Chiefs of Staff Instruction 3170.01C.\n2\n    DoD Directive 4630.5, \xe2\x80\x9cInteroperability and Supportability of Information Technology (IT) and National\n    Security Systems (NSS)\xe2\x80\x9d May 5, 2004, established the net-ready key performance parameter to replace\n    the interoperability key performance parameter. However, this report addresses the interoperability key\n    performance parameter because the programs reviewed during the audit were subject to the previous\n    version of DoD Directive 4630.5, which addressed interoperability key performance parameters.\n\n\n                                                        1\n\x0c            sea capabilities, and strengthen joint exercises and joint training. By enhancing\n            interoperability and communication among warfighters, joint warfighting\n            capabilities will be strengthened.\n\n            Joint Operations Concepts. In November 2003, the Secretary of Defense issued\n            the Joint Operations Concepts (the Concepts), which elaborated on the joint\n            warfighting requirements addressed in Joint Vision 2020 and provided the\n            operational concept for the transformation of the Armed Forces to achieve joint\n            force capabilities. The Concepts state that, to facilitate decision superiority, the\n            joint force will use technology to provide actionable and precise intelligence at all\n            levels of war, which requires a singular battlespace network to enable continuous\n            and collaborative campaign planning and an adaptive command and control\n            organization. The joint force must gain and maintain information superiority to\n            facilitate decision superiority. Upon achieving decision superiority, the joint force\n            can achieve full spectrum dominance when the joint force is integrated, networked,\n            and interoperable with interagency and multinational partners. Full spectrum\n            dominance is the defeat of any adversary or the control of any situation across the\n            full range of military operations. Information superiority, decision superiority, and\n            full spectrum dominance are elements of the Global Information Grid (GIG),\n            which is discussed in Appendix D.\n\n            Scope of Air Force Programs Surveyed. We judgmentally selected\n            40 Air Force acquisition programs for review. Those programs were funded with\n            research and development funds and were required to interface with other\n            systems. We sent a questionnaire to the system program offices for those\n            programs to survey their awareness of interoperability and IA requirements.\n            Appendix E contains the results of the survey, and Appendix F lists the Air Force\n            acquisition programs surveyed. In addition, we requested each system program\n            office to provide the following documents:\n                    \xe2\x80\xa2 operational requirements document (ORD),3\n                    \xe2\x80\xa2    command, control, communications, computers, and intelligence (C4I)\n                         support plans,4\n                    \xe2\x80\xa2    test and evaluation master plan (TEMP), and\n                    \xe2\x80\xa2    system security authorization agreement (SSAA).\n\n            Overall Audit Project. This project is a continuation of work reported in the\n            Inspector General of the Department of Defense Report No. D-2003-011,\n\n3\n    DoD Instruction 5000.2, \xe2\x80\x9cOperation of the Defense Acquisition System,\xe2\x80\x9d May 12, 2003, states that,\n    during system development and demonstration, the capabilities development document instead of the\n    ORD will state the detailed operational performance parameters. Further, the Instruction states that the\n    capabilities production document instead of the ORD will state the operational requirements resulting\n    from system development and demonstration and will detail the performance expected of the production\n    system. However, this report uses the term ORD because the programs reviewed during the audit usually\n    provided ORDs.\n4\n    DoD Instruction 4630.8, \xe2\x80\x9cProcedures for Interoperability and Supportability of Information Technology\n    (IT) and National Security Systems (NSS),\xe2\x80\x9d June 30, 2004, states that the information support plan\n    replaces the C4I support plan specified in the DoD 5000 series documents. However, this report uses the\n    term C4I support plan because the programs reviewed during the audit usually provided C4I support\n    plans.\n\n\n                                                       2\n\x0c    \xe2\x80\x9cImplementation of Interoperability and Information Assurance Policies for\n    Acquisition of DoD Weapon Systems,\xe2\x80\x9d October 17, 2002, which addressed\n    whether the Office of the Secretary of Defense and the Defense agencies were\n    effectively implementing DoD interoperability and IA policies. A subsequent\n    audit, Report No. D-2004-008, \xe2\x80\x9cImplementation of Interoperability and\n    Information Assurance Policies for Acquisition of Army Systems,\xe2\x80\x9d October 15,\n    2003, addressed the adequacy of interoperability and IA requirements for systems\n    in the Army. Further, Inspector General of the Department of Defense Audit\n    Report No. D-2005-033, \xe2\x80\x9cImplementation of the Interoperability and Information\n    Assurance Policies for Acquisition of Navy Systems,\xe2\x80\x9d February 2, 2005, assessed\n    how effectively the Navy was implementing DoD interoperability and IA policies.\n\nObjectives\n    The primary audit objective was to evaluate whether the Air Force was effectively\n    implementing DoD interoperability and IA policies for its acquisition programs.\n    Specifically, the audit determined whether the Air Force was effectively\n    identifying system interoperability and IA requirements in the requirements\n    generation process. See Appendix A for a discussion of the audit scope and\n    methodology. See Appendix B for prior coverage related to the audit objectives.\n\n\n\n\n                                        3\n\x0c            A. Implementing Interoperability\n               Policies\n            The Air Force made progress updating and certifying its capabilities\n            documents to incorporate interoperability requirements. Specifically,\n            38 of the 40 programs surveyed were required to have certified\n            interoperability requirements. Of those 38 programs, 31 had updated\n            capabilities documents to incorporate interoperability requirements and\n            had obtained or were obtaining Joint Staff interoperability requirements\n            certifications for those documents. However, the Air Force system\n            program offices did not develop C4I support plans (renamed information\n            support plans) as required or obtain Joint Staff supportability certifications\n            for programs with interoperability requirements. Specifically, 36 of the\n            40 programs surveyed required certified C4I support plans; of the\n            36 programs, only 26 prepared C4I support plans and only 5 obtained\n            supportability certification for those plans. The C4I support plans were\n            not prepared and certified because the Air Force Chief Information Officer\n            did not ensure that the Office of the Air Force Deputy Chief of Staff for\n            Warfighting Integration updated policy to require program managers to\n            prepare and submit certified C4I support plans before applicable program\n            decision reviews. Without certified C4I support plans, milestone decision\n            authorities do not have adequate information to determine whether a\n            system should proceed further through the acquisition process.\n            Specifically, the milestone decision authorities do not know whether the\n            system is compatible with the existing C4I infrastructure for other DoD\n            acquisition programs and whether it is able to meet warfighter\n            interoperability and information needs.\n\nInteroperability Requirements and Certification\n     Interoperability Requirements and Certification Policy. DoD\n     Directive 4630.5, \xe2\x80\x9cInteroperability and Supportability of Information Technology\n     (IT) and National Security Systems (NSS)\xe2\x80\x9d May 5, 2004; Chairman of the Joint\n     Chiefs of Staff Instruction 3170.01D, \xe2\x80\x9cJoint Capabilities Integration and\n     Development System,\xe2\x80\x9d March 12, 2004; Chairman of the Joint Chiefs of Staff\n     Instruction 6212.01C, \xe2\x80\x9cInteroperability and Supportability of Information\n     Technology and National Security Systems,\xe2\x80\x9d November 20, 2003; and Air Force\n     Instruction 10-601, \xe2\x80\x9cCapabilities Based Requirements Development,\xe2\x80\x9d July 30,\n     2004, provide policy and responsibilities for interoperability and supportability of\n     information technology and National Security (NS) systems.\n\n             DoD Policy. DoD Directive 4630.5 established the net-ready KPP that\n     replaced the interoperability KPP and incorporated net-centric concepts for\n     achieving information technology and NS system interoperability and\n     supportability. The Directive requires, as did the previous version of the policy,\n     the DoD Components to identify interoperability and supportability requirements\n     for information technology and NS systems during the acquisition process and to\n     update them as necessary throughout the system\xe2\x80\x99s life.\n\n\n                                          4\n\x0c                   Joint Staff Policy. Chairman of the Joint Chiefs of Staff\n           Instruction 3170.01D requires all capability documents to include a net-ready\n           KPP. In addition, Chairman of the Joint Chiefs of Staff Instruction 6212.01C\n           requires the Director for Command, Control, Communications, and Computers\n           Systems Directorate (J-6), Office of the Chairman of the Joint Chiefs of Staff\n           (Joint Staff J-6) to certify interoperability requirements in the ORDs before\n           milestone decisions for system acquisition programs.\n\n                  Air Force Policy. Air Force Instruction 10-601 states that the net-ready\n           KPP is documented in the capability development document and the capability\n           production document.5\n\n           Review of Operational Requirements Documents. The Air Force Director of\n           Operational Capability Requirements, Office of the Deputy Chief of Staff for Air\n           and Space Operations made progress incorporating interoperability or net-ready\n           KPP requirements into its capabilities documents and obtaining the Joint Staff J-6\n           interoperability requirements certification. Of the 40 Air Force programs\n           surveyed, only 38 were required to have an interoperability or a net-ready KPP\n           because the Air Force had fielded or placed 2 of the programs into operational use\n           before DoD established the requirements for the interoperability or net-ready\n           KPPs. As of May 2003, the Joint Staff J-6 either had certified or was certifying\n           the interoperability requirements in the ORDs for 25 of the 38 Air Force\n           programs. In August 2004, the number of ORDs with interoperability or\n           net-ready KPPs that the Joint Staff J-6 had certified or was certifying had\n           increased to 31 out of the 38 Air Force programs surveyed. By continuing to\n           prepare requirements documents with certified net-ready KPPs, the Air Force\n           programs surveyed have verifiable performance measures and associated metrics\n           for the milestone decision authority to use at program milestone reviews to\n           determine whether the systems have timely, accurate, and complete exchange and\n           use of information to satisfy the warfighter needs.\n\nC4I Support Plans\n           C4I Support Plan Policy. DoD Instruction 4630.8, \xe2\x80\x9cProcedures for\n           Interoperability and Supportability of Information Technology (IT) and National\n           Security Systems (NSS),\xe2\x80\x9d June 30, 2004; Chairman of the Joint Chiefs of Staff\n           Instruction 6212.01C; and Assistant Secretary of the Air Force (Acquisition)\n           Memorandum, \xe2\x80\x9cCommand, Control, Communications, Computers, and\n           Intelligence (C4I) Support Plan (C4ISP) and System Certifications Policy,\xe2\x80\x9d\n           April 25, 2002,6 provide guidance on preparing and updating C4I support plans.\n\n\n5\n    The capability development document and the capability production document were previously referred to\n    as the ORD.\n6\n    This memorandum superseded Assistant Secretary of the Air Force (Acquisition) Memorandum,\n    \xe2\x80\x9cAir Force Command, Control, Communications, Computers, and Intelligence Support Plan (C4ISP)\n    Policy,\xe2\x80\x9d June 13, 2000, which required Air Force system program offices to develop C4I support plans for\n    all new or developing acquisition programs that connect with Air Force communications and information\n    infrastructures or that give the warfighter or DoD decision maker an operational capability that depends\n    on timely, effective C4I infrastructure support.\n\n\n                                                      5\n\x0c                   DoD Instruction. DoD Instruction 4630.8 states that the C4I support plan\n           is a mechanism to identify and resolve implementation issues related to the\n           infrastructure for information technology and NS systems and interface\n           requirements. The Instruction requires program managers to:\n\n                   \xe2\x80\xa2   prepare an information support plan (C4I support plan) that identifies\n                       the capabilities that the information technology and NS systems\n                       require or the information needed to meet the proposed capability;\n\n                   \xe2\x80\xa2   develop the information support plan (C4I support plan) concurrently\n                       and collaboratively with the associated capability development\n                       document or capability production document (referred to as ORDs in\n                       the report), unless exceptions are noted in an acquisition decision\n                       memorandum; and\n\n                   \xe2\x80\xa2   update the information support plan (C4I support plan) as the program\n                       matures or proceeds through multiple evolutionary blocks or phases.\n\n           Further, the Instruction requires the Air Force Chief Information Officer to:\n\n                   \xe2\x80\xa2   ensure compliance with DoD Instruction 4630.8;\n\n                   \xe2\x80\xa2   ensure that the milestone decision authority or cognizant fielding\n                       authority has an approved information support plan (C4I support plan)\n                       before the system enters into the system development and\n                       demonstration phase of the acquisition process; and\n\n                   \xe2\x80\xa2   comply with Joint Staff procedures for interoperability certification.\n\n                   Joint Staff Instruction. Chairman of the Joint Chiefs of Staff\n           Instruction 6212.01C requires the Joint Staff J-6 to certify to the Assistant\n           Secretary of Defense for Networks and Information Integration/DoD Chief\n           Information Officer7 that C4I support plans, regardless of acquisition category,\n           address information technology and NS system infrastructure requirements\n           adequately and the availability of bandwidth and spectrum support, funding, and\n           personnel; and identify dependencies and interface requirements among DoD\n           acquisition programs. The Instruction also requires the Military Departments to\n           provide guidance and direction to all program managers, specifying that all\n           systems must be certified in accordance with applicable policy.\n\n                  Air Force Memorandum. The Assistant Secretary of the Air Force\n           (Acquisition) Memorandum requires Air Force system program managers to:\n\n                   \xe2\x80\xa2   Develop and maintain a C4I support plan for their systems.\n\n                   \xe2\x80\xa2   Conduct a self-assessment to determine whether the C4I surveillance\n                       and reconnaissance document for their system supports the\n                       requirements. If the self-assessment determines that a C4I support\n\n7\n    Formerly named the Assistant Secretary of Defense (Command, Control, Communications, and\n    Intelligence).\n\n\n                                                    6\n\x0c                         plan is not required because a C4I surveillance and reconnaissance\n                         supportability issue does not exist, the program manager must prepare\n                         a justification letter and forward it to the Director for Information\n                         Dominance, Office of the Assistant Secretary of the Air Force\n                         (Acquisition) to obtain approval for not preparing a C4I support plan.\n                         The Director coordinates approval or disapproval with the Assistant\n                         Secretary of Defense for Networks and Information Integration/DoD\n                         Chief Information Officer and the Joint Staff, as required.\n\n                    \xe2\x80\xa2    Determine whether a modification or upgrade requires a C4I support\n                         plan. If the C4I support plan is not required, the system program\n                         manager will forward a justification letter with a self-assessment to the\n                         Director for Information Dominance for approval.\n\n            Review of C4I Support Plans. During our review of the 40 Air Force programs\n            surveyed, we determined that not all Air Force program managers were preparing\n            C4I support plans and obtaining Joint Staff supportability certification of those\n            plans.\n\n                    C4I Support Plan Preparation. We requested C4I support plans from\n            the 40 Air Force system program offices8 and received 30 C4I support plans.\n            Thirty-six of the 40 Air Force programs were past the system development and\n            demonstration milestone decision, and 4 were yet to have a system development\n            and demonstration milestone decision. As a result, the program managers for\n            those 36 programs should have prepared a C4I support plan. However, only\n            26 of the 36 programs had a C4I support plan.9 The remaining 10 Air Force\n            system program offices stated that they did not prepare a C4I support plan\n            because:\n\n                    \xe2\x80\xa2    the program existed before the C4I support plan requirement (legacy\n                         system) (five system program offices),\n\n                    \xe2\x80\xa2    a waiver was issued (one system program office),\n\n                    \xe2\x80\xa2    the program office did not feel it was required to develop a C4I\n                         support plan (two system program offices), and\n\n                    \xe2\x80\xa2    the program office was in the planning stages of developing its C4I\n                         support plan (two system program offices).\n\n                   Joint Staff Supportability Certification. Of the 26 C4I support plans\n            obtained for the 36 Air Force programs required to have a C4I support plan:\n\n                    \xe2\x80\xa2    5 C4I support plans had received the required supportability\n                         certification from the Joint Staff J-6,\n\n8\n    We requested C4I support plans by a data request and followed up with the program offices to verify the\n    latest status of the C4I support plans.\n9\n    The program managers provided C4I support plans for the four programs that had not yet undergone a\n    system development and demonstration milestone decision; however, those plans needed to be certified.\n\n\n                                                       7\n\x0c            \xe2\x80\xa2   7 C4I support plans had been in the required supportability\n                certification process for more than 1 year without advancement, and\n\n            \xe2\x80\xa2   14 C4I support plans had not been submitted to the Joint Staff J-6 for\n                the required supportability certification process.\n\n     Although DoD policy requires the Air Force Chief Information Officer to ensure\n     that program managers have an approved and certified C4I support plan before\n     the system enters into the system development and demonstration phase, the\n     Air Force Chief Information Officer did not have procedures established to\n     enforce compliance with the DoD policy. According to personnel in the Office of\n     the Air Force Chief Information Officer, the procedures should have been\n     promulgated; however, as the result of a reorganization of the Office of the\n     Assistant Secretary of the Air Force (Acquisition) in 2001, the responsibility for\n     preparing the procedures became that of the Office of the Air Force Deputy Chief\n     of Staff for Warfighting Integration. Personnel in the Office of the Air Force\n     Deputy Chief of Staff for Warfighting Integration confirmed the responsibility\n     and stated that they were updating Air Force Instruction 33-108, \xe2\x80\x9cCompatibility,\n     Interoperability, and Integration of Command, Control, Communications, and\n     Computers (C4) Systems,\xe2\x80\x9d July 14, 1994, to include C4I support plan guidance\n     that complies with DoD Instruction 4630.8.\n\nEffects of Developing and Certifying C4I Support Plans\n     Without Air Force system program offices preparing and certifying C4I support\n     plans, milestone decision authorities do not have adequate information to\n     determine whether a system should proceed further through the acquisition\n     process. Specifically, the milestone decision authorities do not know whether the\n     system is compatible with the existing C4I infrastructure for other DoD\n     acquisition programs and whether it is able to meet warfighter interoperability\n     and information needs.\n\nManagement Comments on the Finding and Audit Response\n     A summary of management comments on the finding and audit responses is in\n     Appendix G.\n\n\n\n\n                                         8\n\x0cRecommendation and Management Comments\n    A. We recommend that the Air Force Chief Information Officer, in\n    collaboration with the Air Force Deputy Chief of Staff for Warfighting\n    Integration, issue policy to require program managers to prepare\n    information support plans and obtain supportability certifications before\n    program decision reviews and before fielding the system, in accordance with\n    DoD Instruction 4630.8, \xe2\x80\x9cProcedures for Interoperability and Supportability\n    of Information Technology (IT) and National Security Systems (NSS),\xe2\x80\x9d\n    June 30, 2004.\n\n    Air Force Chief Information Officer Comments. The Air Force Chief\n    Information Officer, who also responded for the Air Force Deputy Chief of Staff\n    for Warfighting Integration, concurred, stating that Air Force Policy\n    Directive 33-2, \xe2\x80\x9cInformation Assurance Program,\xe2\x80\x9d will address the requirement\n    for program managers to prepare information support plans and obtain\n    supportability certification before program decision reviews and before fielding\n    the system. Further, the Air Force Chief Information Officer stated that the\n    Directive will be staffed in early 2005 and that his staff contacted the Office of\n    the Assistant Secretary of the Air Force (Acquisition) to ensure that Air Force\n    acquisition guidance also included the correct guidance. For the complete text of\n    the Air Force Chief Information Officer\xe2\x80\x99s comments, see the Management\n    Comments section of the report.\n\n    Director, Joint Staff Comments. Although not required to comment, the\n    Director agreed with the recommendation, stating that the Joint Staff will support\n    the recommendation through its role as a principal member of the Interoperability\n    Test Panel. For the complete text of the Director\xe2\x80\x99s comments, see the\n    Management Comments section of the report.\n\n\n\n\n                                         9\n\x0c           B. Testing Air Force Acquisition\n              Programs for Information Assurance\n           After DoD issued guidance on net-ready KPPs, the Air Force made\n           progress in identifying testable IA requirements in ORDs for Air Force\n           programs with interoperability and supportability requirements. However,\n           Air Force system program offices were not always preparing required\n           SSAAs for systems with information technology requirements. Only\n           26 of 40 system program offices surveyed had prepared SSAAs. For the\n           remaining 14 system program offices, the SSAAs were not prepared\n           because the Air Force Chief Information Officer did not verify that the\n           respective system program offices had prepared SSAAs when the system\n           was subject to the DoD Information Technology Security Certification\n           Accreditation Program (DITSCAP). For those programs with SSAAs, the\n           Air Force operational testers were coordinating with the SSAA signatories\n           to minimize duplicative testing efforts. Without an SSAA, the testers do\n           not have information needed to assess compliance with the technical and\n           nontechnical implementation of the security design and to determine\n           whether the system program office properly implemented security features\n           affecting system confidentiality, integrity, availability, and accountability.\n\nDefining Information Assurance Requirements for Testing\n    Information Assurance Requirements Policy. DoD Directive 4630.5; DoD\n    Directive 8500.1, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d October 24, 2002; DoD\n    Instruction 8500.2, \xe2\x80\x9cInformation Assurance Implementation,\xe2\x80\x9d February 6,\n    2003; DoD Instruction 8580.1, \xe2\x80\x9cInformation Assurance (IA) in the Defense\n    Acquisition System,\xe2\x80\x9d July 9, 2004; Chairman of the Joint Chiefs of Staff\n    Instruction 3170.01D; Chairman of the Joint Chiefs of Staff Instruction 6212.01C;\n    and Air Force Instruction 10-601 provide policy and responsibilities for\n    information assurance of information technology and NS systems.\n\n           DoD Directive 4630.5. DoD Directive 4630.5 requires the DoD\n    Components to develop and use net-ready KPPs to assess IA attributes for the\n    technical exchange of information and the operational effectiveness of that\n    exchange.\n\n            DoD Directive 8500.1. DoD Directive 8500.1 requires the DoD\n    Components to identify and include IA requirements in the design, acquisition,\n    installation, operation, upgrade, or replacement of all DoD information systems\n    for which they have responsibility.\n\n            DoD Instruction 8500.2. DoD Instruction 8500.2 requires IA managers\n    to ensure that IA inspections, tests, and reviews are coordinated. In addition, the\n    Instruction states that:\n\n           \xe2\x80\xa2   the ability to test and verify is an essential competency of the DoD IA\n               program, and\n\n\n                                         10\n\x0c                 \xe2\x80\xa2    the IA objective condition is testable, IA compliance is measurable,\n                      and the activities required to achieve the IA control are assignable and\n                      accountable.\n\n                DoD Instruction 8580.1. DoD Instruction 8580.1 implements acquisition\n        policy for IA, assigns responsibilities, and prescribes procedures to integrate IA\n        into the DoD acquisition system. The Instruction requires:\n\n                 \xe2\x80\xa2    DoD Components to implement IA in all DoD system acquisitions in\n                      accordance with the DoD 5000 series; and\n\n                 \xe2\x80\xa2    program managers to fully integrate IA into all phases of their\n                      acquisition, upgrade, or modification programs, including initial\n                      design, development, testing, fielding, and operation.\n\n                Joint Staff Policy. Chairman of the Joint Chiefs of Staff\n        Instruction 3170.01D requires all capability documents to include a net-ready\n        KPP.10 In addition, Chairman of the Joint Chiefs of Staff Instruction 6212.01C\n        requires the net-ready KPP, including the information assurance component, to\n        consist of measurable, testable, or calculable characteristics and performance\n        metrics required for timely, accurate, and complete exchange and use of\n        information.\n\n               Air Force Policy. Air Force Instruction 10-601 states that the net-ready\n        KPP is documented in the capability development document and the capability\n        production document.\n\n        Review of Operational Requirements Documents. Before DoD issued\n        guidance on net-ready KPPs, the Air Force did not always identify testable\n        IA requirements in ORDs for Air Force programs with interoperability and\n        supportability requirements. During the audit, the Air Force began to incorporate\n        IA requirements into its capability documents as part of the net-ready KPP\n        requirements.\n\n        During our review of the 40 Air Force programs, we determined whether the\n        ORDs for the programs contained IA requirements that could be measured, tested,\n        and evaluated. Although 28 of the 40 ORDs contained IA requirements, only 16\n        of them were written in output-oriented and measurable terms. Personnel from\n        the Office of the Air Force Director of Operational Capability Requirements\n        stated that, as a result of the Chairman of the Joint Chiefs of Staff\n        Instruction 6212.01C requiring all capability documents to include a net-ready\n        KPP, they began requiring programs to incorporate net-ready KPP requirements\n        with testable IA requirements into capability documents. Of the 40 programs\n        surveyed, the personnel stated that 3 had net-ready KPPs in their capability\n        documents, 1 had begun to incorporate a net-ready KPP into its capability\n        document, and 3 had net-ready KPP migration strategies to convert the\n        interoperability KPPs into net-ready KPPs as of September 2004. When\n\n\n10\n  Chairman of the Joint Chiefs of Staff Instruction 6212.01C stated that interoperability KPPs were\n superceded by net-ready KPPs.\n\n\n                                                    11\n\x0c            capability documents specify testable IA requirements, testers can more readily\n            determine whether an acquisition program\xe2\x80\x99s IA requirements are operationally\n            effective and suitable to meet warfighter requirements.\n\nPreparing and Maintaining System Security Authorization\n  Agreements\n            SSAA Policy. DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security\n            Certification and Accreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997; and\n            Air Force Instruction 33-202, \xe2\x80\x9cNetwork and Computer Security,\xe2\x80\x9d June 17, 2004,\n            provide policies and procedures for the DITSCAP, including SSAAs.\n\n                    DoD Instruction 5200.40. DoD Instruction 5200.40 states that the\n            DITSCAP applies to the acquisition, operation, and sustainment of any DoD\n            system that collects, stores, transmits, or processes unclassified or classified\n            information. Further, the Instruction states that a critical element of the\n            DITSCAP is the agreement among the information technology system program\n            manager,11 the designated approving authority, the certification authority, and\n            the user representative to resolve critical schedule, budget, security,\n            functionality, and performance issues. This agreement is documented in the\n            SSAA that is used to guide and document the results of the certification and\n            accreditation process. The SSAA establishes a binding agreement on the level\n            of security required before the system is developed or changes begin. The\n            SSAA is used throughout the entire DITSCAP to guide actions, document\n            decisions, specify information technology security requirements, document\n            certification tailoring and level of effort, identify possible solutions, and\n            maintain operational system security.\n\n                   Air Force Instruction 33-202. Air Force Instruction 33-202 establishes\n            Air Force computer security requirements for information protection in\n            compliance with DoD Instruction 5200.40. The Instruction applies to all\n            personnel who develop, acquire, deliver, use, operate, or manage Air Force\n            information systems. Further, the Instruction requires:\n\n                    \xe2\x80\xa2    the Air Force Chief Information Officer to ensure that IA is an\n                         integral part of information systems and applications design, and\n\n                    \xe2\x80\xa2    the program manager to develop the SSAA.\n\n            SSAA Implementation. In practice, Air Force system program offices were not\n            preparing SSAAs for acquisition programs with information technology\n            requirements in that only 26 of the 40 system program offices surveyed had\n            prepared SSAAs. To determine whether Air Force system program offices had an\n            SSAA, we requested SSAAs from the program managers for the 40 system\n            program offices surveyed. We also contacted the Air Force Operational Test and\n\n11\n     The term program manager refers to the acquisition program manager during the system acquisition, the\n     system manager during the operation of the system, or the maintenance organization\xe2\x80\x99s program manager\n     when a system is undergoing a major change.\n\n\n                                                     12\n\x0c            Evaluation Center, which conducts the Air Force\xe2\x80\x99s operational testing and\n            evaluation to determine whether it required and received SSAAs for use in\n            conducting operational testing.\n\n                    SSAA Survey. In the survey questionnaire on the implementation of\n            interoperability and IA requirements, we asked the program managers the\n            following question concerning SSAAs: Of the following documentation normally\n            provided to the milestone decision authority at the system development and\n            demonstration decision point and the production and deployment decision point,\n            which adequately describes IA requirements and strategies? In response, 20 of the\n            40 program managers believed that the SSAA best described the IA requirements\n            and strategies for the system development and demonstration milestone decision\n            and 8 of the 40 program managers believed that it best described the IA\n            requirements and strategies for the production and deployment milestone decision\n            (Appendix E contains the results of the survey).\n\n                   SSAA Request. Based on our request, 26 of the 40 Air Force system\n            program offices provided an SSAA. We did not determine whether the contents of\n            the SSAAs were adequate. Only through the preparation of SSAAs before\n            program milestone decision points can the milestone decision authority have\n            assurance that the SSAA signatories12 have all agreed on the method for\n            implementing information technology security requirements and maintaining\n            operational systems security.\n\n                    Air Force Operational Test and Evaluation Center. Air Force\n            Operational Test and Evaluation Center personnel stated that they required\n            SSAAs as part of their operational test readiness review. When an SSAA was not\n            available, the testers did not have information needed to assess compliance with\n            the technical and nontechnical implementation of the security design and to\n            determine whether the system program office had properly implemented security\n            features affecting system confidentiality, integrity, availability, and\n            accountability.\n\nCoordination of DITSCAP Testing and Program Evaluation\n            DITSCAP Coordination Requirements. DoD Instruction 5000.2, \xe2\x80\x9cOperation\n            of the Defense Acquisition System,\xe2\x80\x9d May 12, 2003; DoD Guidebook, \xe2\x80\x9cInterim\n            Defense Acquisition Guidebook,\xe2\x80\x9d October 30, 2002;13 Director, Operational Test\n            and Evaluation memorandum, \xe2\x80\x9cPolicy for Operational Test and Evaluation of\n            Information Assurance,\xe2\x80\x9d November 17, 1999; and Air Force Instruction 33-202,\n            \xe2\x80\x9cNetwork and Computer Security,\xe2\x80\x9d June 17, 2004, discuss the coordination of\n            DITSCAP testing.\n\n12\n     The SSAA signatories are the program manager, the designated approving authority, the certification\n     authority, and the user.\n13\n Formerly DoD Regulation 5000.2-R, \xe2\x80\x9cMandatory Procedures for Major Defense Acquisition Programs\n (MDAPs) and Major Automated Information System (MAIS) Acquisition Programs,\xe2\x80\x9d April 5, 2002. The\n former DoD Regulation 5000.2-R will serve as the guidebook while the Defense Acquisition Policy\n Working Group creates a streamlined guidebook.\n\n\n                                                      13\n\x0c                    DoD Instruction. DoD Instruction 5000.2 requires the program manager,\n            together with the user and test and evaluation communities, to coordinate\n            developmental test and evaluation, operational test and evaluation, live-fire test\n            and evaluation, family-of-systems interoperability testing, IA testing, and\n            modeling and simulation activities into an efficient process that is integrated with\n            the system requirements definition and the system design and development.\n\n                    DoD Guidebook. The Guidebook states that testers should conduct IA\n            testing on information systems to verify that planned and implemented security\n            measures satisfy ORD and SSAA requirements when the system is installed and\n            operated in its intended environment. Further, the Guidebook states that the\n            program manager, the operational test and evaluation authority, and the\n            designated approving authority should coordinate and determine the level of risk\n            associated with operating a system and the extent of security testing14 required.15\n\n                   Director, Operational Test and Evaluation Policy. The Director,\n            Operational Test and Evaluation memorandum16 requires the operational test\n            agencies for programs subject to the DITSCAP to coordinate with the SSAA\n            signatories throughout the acquisition cycle to minimize duplicative testing by the\n            operational test agencies. Further, the memorandum requires the operational test\n            agencies and the SSAA signatories to maximize opportunities to meet operational\n            requirements through concurrent testing, particularly in DITSCAP vulnerability\n            assessments, security tests and evaluations, and penetration testing.\n\n                   Air Force Instruction 33-202. Air Force Instruction 33-202 establishes\n            Air Force computer security requirements associated with information protection.\n            The Instruction requires the program manager to ensure the appropriate\n            coordination and review of all decisions concerning security trade-offs and\n            changes in requirements with the SSAA signatories.\n\n            Coordination of IA Test Results. The Air Force operational testers for\n            programs subject to the DITSCAP were coordinating with the SSAA signatories\n            to minimize duplicative testing. To determine how effectively the Air Force\n            operational testers were coordinating with the SSAA signatories to minimize\n            duplicative IA testing, we contacted personnel from the Air Force Operational\n            Test and Evaluation Center and the Air Force Information Warfare Center and\n            reviewed applicable test reports.\n\n                   Air Force Operational Test and Evaluation Center. Air Force\n            Operational Test and Evaluation Center representatives stated that their\n            organization did not have the internal resources to conduct IA technical\n            evaluations. Instead, they incorporate and rely on IA test results from the\n\n14\n     Security testing is the examination and analysis of the safeguards, which are required to protect an\n     information technology system, to determine the security capabilities of that system.\n15\n     The April 2002 and the June 2001 versions of DoD Regulation 5000.2-R had the same requirements as\n     the DoD Guidebook.\n16\n     According to personnel in the Office of the Director, Operational Test and Evaluation, the Office of the\n     Secretary of Defense incorporated the intent of the memorandum into the May 2003 version of the\n     DoD 5000 series documents; however, as of October 2004, that office was updating the policy to address\n     IA operational test and evaluation.\n\n\n                                                        14\n\x0c            Air Force Information Warfare Center for inclusion in their test reports. In\n            addition, the representatives stated that, as members of the integrated test team,\n            they were aware of developmental as well as operational testing events.\n            Specifically, they include in their test reports IA test results from developmental\n            testing, as applicable. To further enhance the test and evaluation process, the\n            representatives stated that their organization was preparing an IA checklist to\n            ensure compliance with DITSCAP, DoD Instruction 8500.2, and National\n            Institute of Standards and Technology Act17 requirements associated with\n            information technology.\n\n                    Air Force Information Warfare Center. The Air Force Information\n            Warfare Center plans and conducts operations security, IA, and system\n            vulnerability assessments as described in program documentation and integrated\n            test plans, and participates in integrated test teams and test integrated product\n            teams. Representatives from the Air Force Information Warfare Center stated\n            that their ability to facilitate and coordinate with SSAA signatories concerning\n            whether programs meet interoperability and IA requirements has improved as a\n            result of the requirement to include specific IA requirements in capability\n            documents.\n\n                    Test Reports. To determine the extent of Air Force Information Warfare\n            Center coordination with SSAA signatories, we reviewed three Air Force\n            Information Warfare Center test reports on Air Force acquisition programs\n            subject to the DITSCAP. Of the three test reports, two addressed system security\n            and vulnerability findings and recommendations that the Air Force Information\n            Warfare Center had coordinated with the respective system program offices. The\n            test reports addressed the accompanying recommendations to the respective\n            SSAA signatories and included actions to mitigate the system vulnerabilities that\n            were identified during testing and analysis. By coordinating with the SSAA\n            signatories for programs subject to the DITSCAP and with the Air Force\n            Operational Test and Evaluation Center, the Air Force Information Warfare\n            Center operational testers minimized duplicative testing for decisions concerning\n            security trade-offs and changes in IA requirements.\n\nManagement Comments on the Finding and Audit Response\n            A summary of management comments on the finding and audit responses is in\n            Appendix G.\n\n\n\n\n17\n     The National Institute of Standards and Technology Act requires the Institute to develop standards,\n     guidelines, and associated methods and techniques for information systems. Those standards and\n     guidelines are to include standards to be used by all agencies to categorize information and information\n     systems collected or maintained by or on behalf of each agency. Further, the standards and guidelines are\n     to include guidelines developed with DoD, including the National Security Agency, for identifying an\n     information system as an NS system.\n\n\n                                                       15\n\x0cRecommendation and Management Comments\n            B. We recommend that the Air Force Chief Information Officer verify that\n            Air Force system program offices prepared system security authorization\n            agreements before milestone decision points for systems subject to the DoD\n            Information Technology Security Certification and Accreditation Process, in\n            accordance with DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology\n            Security Certification and Accreditation Process (DITSCAP),\xe2\x80\x9d December 30,\n            1997, and Air Force Instruction 33-202, \xe2\x80\x9cNetwork and Computer Security,\xe2\x80\x9d\n            June 17, 2004.\n\n            Air Force Chief Information Officer Comments. The Air Force Chief\n            Information Officer concurred, stating that SSAA information is collected in the\n            Air Force Enterprise Information Technology Data Repository.18 Further, the\n            Air Force Chief Information Officer stated that his staff now verify the existence\n            of an SSAA as part of the information assurance strategy review process. For the\n            complete text of the Air Force Chief Information Officer\xe2\x80\x99s comments, see the\n            Management Comments section of the report.\n\n            Director, Joint Staff Comments. Although not required to comment, the\n            Director agreed with the recommendation, stating that the Joint Staff will support\n            the recommendation through its role as a principal member of the Interoperability\n            Test Panel. For the complete text of the Director\xe2\x80\x99s comments, see the\n            Management Comments section of the report.\n\n\n\n\n18\n     The Air Force Enterprise Information Technology Data Repository, formerly called the Systems\n     Compliance Database, is a repository of information on information technology systems and initiatives to\n     support the Clinger-Cohen Act information technology registration, Federal Information Security\n     Management Act compliance, and information technology portfolio management, and will support C4I\n     support planning beginning in November 2005.\n\n\n                                                      16\n\x0c                     C. Populating and Maintaining\n                        the Global Information Grid\xe2\x80\x99s\n                        Asset Inventory\n                     The Air Force had not populated and maintained its portion of the GIG19\n                     asset inventory for acquisition programs containing information\n                     technology requirements. The GIG asset inventory was not populated\n                     because DoD had not issued guidance specifying:\n\n                              \xe2\x80\xa2    the composition of the GIG asset inventory for acquisition\n                                   programs containing information technology requirements, and\n\n                              \xe2\x80\xa2    the process that the Air Force and the other DoD Components\n                                   need to follow to populate and maintain their respective GIG\n                                   asset inventories.\n\n                     Without a defined policy describing how the DoD Components will\n                     populate and maintain the GIG asset inventory for acquisition programs\n                     containing information technology requirements, DoD cannot ensure that\n                     its acquisition programs have the most effective, efficient, and secure\n                     information-handling capabilities available, consistent with national\n                     military strategy and warfighter operational requirements.\n\nGIG Statutory Requirements and Policy\n            The Federal Information Security Management Act of 2002; section 2223,\n            title 10, United States Code, \xe2\x80\x9cInformation Technology: Additional\n            Responsibilities of Chief Information Officers;\xe2\x80\x9d DoD Directive 4630.5; and DoD\n            Directive 8100.1, \xe2\x80\x9cGlobal Information Grid (GIG) Overarching Policy,\xe2\x80\x9d\n            November 21, 2003, provide statutory requirements and policy for the GIG asset\n            inventory.\n            Federal Information Security Management Act of 2002. Section 305,\n            \xe2\x80\x9cTechnical and Conforming Amendments,\xe2\x80\x9d of the Act requires DoD to develop\n            and maintain an inventory of major information systems, including major NS\n            systems, that it operates or controls. Further, section 301, \xe2\x80\x9cInformation Security,\xe2\x80\x9d\n            states that NS systems include information systems used or operated by an agency\n            or contracted by an agency, the function, operation, or use of which involves\n            intelligence activities, cryptologic agencies related to NS, command and control\n            of military forces, and equipment that is an integral part of a weapon or weapons\n            system that is critical to direct fulfillment of military or intelligence missions.\n\n\n19\n     The GIG is not one system; it is an end-to-end set of information capabilities, associated processes, and\n     personnel for collecting, processing, storing, disseminating, and managing information on demand to\n     warfighters, policy makers, and support personnel. The GIG includes all owned and leased\n     communication and computing systems, services, software, data, security services, NS systems, and\n     associated services necessary to achieve information superiority.\n\n\n                                                        17\n\x0c            Section 2223. Section 2223 requires the DoD Chief Information Officer to\n            maintain a consolidated inventory of DoD mission-critical and mission-essential\n            information systems, identify interfaces between those systems and other\n            information systems, and develop and maintain contingency plans for responding\n            to a disruption in the operation of any of those information systems.\n\n            DoD Directive 4630.5. The Directive updates DoD policy and responsibilities\n            for interoperability and supportability of information technology, including NS\n            systems, and implements DoD Chief Information Officer\xe2\x80\x99s responsibilities. The\n            Directive requires the DoD Chief Information Officer to ensure the development,\n            implementation, and maintenance of the GIG architecture in accordance with\n            DoD Directive 8100.1.\n\n            DoD Directive 8100.1. The Directive establishes policy and assigns\n            responsibilities for GIG configuration management and architecture to the Office\n            of the Secretary of Defense as well as the Military Departments. The Directive\n            requires:\n\n                     \xe2\x80\xa2   the establishment and maintenance of an enterprise-wide inventory of\n                         GIG assets;\n                     \xe2\x80\xa2   the Under Secretary of Defense for Acquisition, Technology, and\n                         Logistics to ensure that acquisition programs fully consider\n                         documented GIG requirements;\n                     \xe2\x80\xa2   the Under Secretary of Defense (Comptroller) to collaborate with the\n                         DoD Chief Information Officer, where necessary, to identify and\n                         coordinate improvements to identify and describe information\n                         technology resources;\n                     \xe2\x80\xa2   the DoD Components, including the Joint Chiefs of Staff, to populate\n                         and maintain their portions of the GIG asset inventory; and\n                     \xe2\x80\xa2   the Chairman of the Joint Chiefs of Staff to develop joint doctrine and\n                         ensure the compatibility of the Chairman of the Joint Chiefs of Staff\n                         instructions with GIG policy and guidance.\n\n            Before DoD issued DoD Directive 8100.1, the above requirements were included\n            in Deputy Secretary of Defense Memorandum, \xe2\x80\x9cDoD Chief Information Officer\n            (CIO) Guidance and Policy Memorandum No. 8-8001 \xe2\x80\x93 March 31, 2000 \xe2\x80\x93 Global\n            Information Grid,\xe2\x80\x9d March 31, 2000.\n\nGIG Asset Inventory\n            Compiling a GIG Asset Inventory. Personnel in the Office of the Air Force\n            Chief Information Officer stated that the Air Force had not compiled a GIG asset\n            inventory of major information systems, including acquisition programs\n            containing information technology requirements.20 Although no Air Force GIG\n20\n     Although not a GIG asset inventory, the Air Force Chief Information Officer noted that the Air Force did\n     conduct an inventory of assets using the Enterprise Information Technology Data Repository, which\n     feeds into the DoD Information Technology Registry.\n\n\n                                                       18\n\x0c            asset inventory existed, we asked the 40 Air Force program offices surveyed\n            whether they considered their programs to be part of the GIG asset inventory.\n            The program offices\xe2\x80\x99 responses were as follows:\n\n                     \xe2\x80\xa2   14 Air Force program offices responded that their programs were part\n                         of the GIG asset inventory,\n                     \xe2\x80\xa2   16 Air Force program offices responded that their programs were not\n                         part of the GIG asset inventory, and\n                     \xe2\x80\xa2   10 Air Force program offices were not sure whether their programs\n                         were part of GIG asset inventory.\n\n            Appendix E contains the complete results of the program offices\xe2\x80\x99 survey.\n\n            Issuing GIG Asset Inventory Guidance. According to representatives from the\n            Office of the Air Force Chief Information Officer, the Air Force did not populate\n            and maintain its portion of the GIG asset inventory because DoD had not issued\n            guidance specifying the composition of the GIG asset inventory and the process\n            that the Air Force and the other DoD Components need to follow to populate and\n            maintain their respective GIG asset inventories. The representatives noted that\n            the Deputy DoD Chief Information Officer had issued a memorandum,\n            \xe2\x80\x9cComponent Support of DoD Information Technology Portfolio Review Process,\xe2\x80\x9d\n            July 13, 2004, which discusses populating the DoD Information Technology\n            Portfolio Data Repository with DoD information systems,21 and that DoD\n            Directive 8100.1 discusses what the GIG includes. However, the representatives\n            stated that the DoD Information Technology Portfolio Data Repository was not\n            the GIG asset inventory and that DoD Directive 8100.1 did not discuss how to\n            populate and maintain the GIG asset inventory.\n\n            Complying With the GIG Asset Inventory Requirement. According to the\n            Principal Director to the Deputy DoD Chief Information Officer, DoD did not\n            have a GIG asset inventory; however, the nearest DoD equivalent was the DoD\n            Information Technology Registry,22 which DoD uses to compile data to meet the\n            Federal Information Security Management Act reporting requirements.23 Further,\n\n21\n     A DoD information system is a set of information resources organized for the collection, storage,\n     processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of\n     information. The DoD information system includes automated information system applications,\n     enclaves, outsourced information-technology-based processes, and platform information technology\n     connections.\n22\n     The DoD Information Technology Registry is the repository for information about the DoD mission-\n     critical and mission-essential information technology systems. The Military Department Chief\n     Information Officers were told to add all non-mission-critical and non-mission-essential information\n     technology systems to the Registry by September 30, 2006.\n23\n     Inspector General of the Department of Defense response on October 6, 2004, to the Office of\n     Management Budget regarding Federal agencies information security associated with the Federal\n     Information Security Management Act of 2002 also addressed the GIG asset inventory issue. Further,\n     Inspector General of the Department of Defense Report No. D-2005-029, \xe2\x80\x9cManagement of Information\n     Technology Resources Within DoD,\xe2\x80\x9d January 27, 2005, addressed the requirement for the Assistant\n     Secretary of Defense for Networks and Information Integration to report the asset inventory relating to\n     the status of DoD information systems to the Office of Management and Budget and for congressional\n     purposes associated with the Federal Information Security Management Act of 2002.\n\n\n                                                       19\n\x0c     the Principal Director stated that, even though the DoD Information Technology\n     Registry was not adequate to use as the GIG asset inventory, DoD may develop it\n     into the GIG asset inventory. To this end, DoD is considering using the\n     Department of the Navy Application and Database Management System on an\n     interim basis for the GIG asset inventory. The Principal Director also stated that\n     the Department of the Navy Application and Database Management System\n     could:\n             \xe2\x80\xa2 absorb the DoD Information Technology Registry and\n             \xe2\x80\xa2 be expanded to include necessary GIG data elements if the System was\n                used to build the GIG asset inventory.\n\n     Further, the Principal Director stated that the Joint Staff J-6 contacted the Office\n     of the DoD Chief Information Officer about using the DoD Information\n     Technology Registry to replace the Joint C4I Program Assessment Tool to track\n     systems that have completed the Joint Staff J-6 interoperability certification\n     process. In conclusion, the Principal Director stated that changes in the\n     application of the DoD Information Technology Registry may require DoD\n     Directive 8100.1 to be updated.\n\nPolicy for Populating and Maintaining the GIG Asset\n  Inventory\n     Without a defined policy describing how the DoD Components will populate and\n     maintain the GIG asset inventory for acquisition programs containing information\n     technology requirements, DoD cannot ensure that its acquisition programs have\n     the most effective, efficient, and secure information-handling capabilities\n     available, consistent with national military strategy and warfighter operational\n     requirements.\n\nConclusion\n     To establish and maintain an enterprise-wide inventory of GIG assets, including\n     acquisition programs containing information technology requirements, DoD\n     guidance should be issued to define policy describing how the DoD Components\n     will populate and maintain the GIG asset inventory. Inspector General of the\n     Department of Defense Report No. D-2005-033, \xe2\x80\x9cImplementation of the\n     Interoperability and Information Assurance Policies for Acquisition of Navy\n     Systems,\xe2\x80\x9d February 2, 2005, addressed the need for DoD guidance in populating\n     and maintaining the GIG asset inventory and will include a recommendation\n     addressing the issue. Specifically, the resulting report recommended that the\n     Assistant Secretary of Defense for Networks and Information Integration/DoD\n     Chief Information Officer prepare and staff a DoD directive that specifies the:\n\n            \xe2\x80\xa2   types of systems and system information capability requirements to be\n                included in the GIG asset inventory and\n            \xe2\x80\xa2   responsibilities of DoD Components in populating and maintaining the\n                GIG asset inventory.\n\n                                          20\n\x0cManagement Comments on the Finding\n    A summary of management comments on the finding and audit responses is in\n    Appendix G.\n\n\n\n\n                                     21\n\x0cAppendix A. Scope and Methodology\n           We reviewed documentation dated from March 1994 to July 2004. To\n           accomplish the audit objective, we reviewed:\n\n                   \xe2\x80\xa2   the Air Force\xe2\x80\x99s efforts to implement interoperability and information\n                       assurance requirements during the acquisition process for acquisition\n                       programs;\n\n                   \xe2\x80\xa2   system requirements and capabilities documentation for\n                       interoperability and information assurance requirements;\n\n                   \xe2\x80\xa2   the controls over the Joint Staff J-6 interoperability certification\n                       process and the Joint Command, Control, Communications,\n                       Computers, and Intelligence Program Assessment Tool; and\n\n                   \xe2\x80\xa2   applicable criteria.\n\n           We also contacted the staffs of the Assistant Secretary of Defense for Networks\n           and Information Integration/DoD Chief Information Officer; the Air Force Air\n           Combat Command; the Air Force Air Mobility Command; the Air Force Space\n           Command; the Director for Command, Control, Communications, and Computers\n           Systems Directorate (J-6), Office of the Chairman of the Joint Chiefs of Staff; the\n           Defense Information Systems Agency; the Deputy Assistant Secretary of the\n           Air Force (Management Policy and Program Integration), Office of the Assistant\n           Secretary of the Air Force (Acquisition); the Air Force Chief Information Officer;\n           the Directorate of Command, Control, Communications, and Computers,\n           Intelligence, Surveillance, and Reconnaissance Infostructure, Office of the\n           Air Force Deputy Chief of Staff for Warfighting Integration; the Directorate of\n           Operational Capabilities Requirements, Office of the Air Force Deputy Chief of\n           Staff for Air and Space Operations; the Air Force Operational Test and\n           Evaluation Center; the Joint Interoperability Test Command; the Air Force Test\n           and Evaluation Directorate; the Air Force Communications Agency; and the\n           Air Force Information Warfare Center.\n\n           In addition, we judgmentally selected for review 40 Air Force acquisition\n           programs24 to:\n                   \xe2\x80\xa2   obtain the program managers\xe2\x80\x99 perspectives on interoperability and\n                       IA requirements;\n\n                   \xe2\x80\xa2   review ORDs, C4I support plans, TEMPs, and SSAAs; and\n\n\n\n24\n     The Predator Unmanned Aerial Vehicle program comprises two systems: the Predator Medium Altitude\n     Endurance Unmanned Aerial Vehicle (RQ-1A) and the Predator Hunter-Killer Unmanned Aerial Vehicle\n     (MQ-9). However, the audit reviewed only the RQ-1A because the supporting documentation for the\n     MQ-9 was not available at the time of the audit.\n\n\n                                                   22\n\x0c       \xe2\x80\xa2   determine the stage of each program in the Joint Command, Control,\n           Communications, Computers, and Intelligence Program Assessment\n           Tool repository for Joint Staff J-6 interoperability certification.\n\nWe performed this audit from July 2002 through November 2004 in accordance\nwith generally accepted government auditing standards. We did not review the\nmanagement control program because the audit focused on interoperability and\nIA requirements and review processes; therefore, our scope was limited to those\nspecific requirements and processes.\n\nGeneral Accounting Office High-Risk Area. The General Accounting Office\nhas identified several high-risk areas in the DoD. This report provides coverage\nof the DoD weapon systems acquisition high-risk area.\n\nUse of Technical Support. The Technical Assessment Division, Office of the\nAssistant Inspector General for Audit Followup and Technical Support assisted\nthe audit by reviewing the ORDs, C4I support plans, TEMPs, and SSAAs for the\nprograms reviewed. In addition, the Technical Assessment Division reviewed\nselected test reports that the Air Force Operational Test and Evaluation Command\nprepared during FYs 2001, 2002, and 2003 to determine whether testers\nperformed IA testing in accordance with DoD and Air Force policy.\n\nUse of Computer-Processed Data. We did not rely on computer-processed data\nto perform this audit.\n\n\n\n\n                                    23\n\x0cAppendix B. Prior Coverage\n     During the last 5 years, the Government Accountability Office, the Inspector\n     General of the Department of Defense, and the Defense Science Board have issued\n     nine reports addressing interoperability and IA requirements for DoD systems.\n     Unrestricted Government Accountability Office and Inspector General of the\n     Department of Defense reports can be accessed at http://www.gao.gov and\n     http://www.dodig.osd.mil/audit/reports, respectively.\n\nGovernment Accountability Office (GAO)\n     GAO Report GAO-04-858, \xe2\x80\x9cDefense Acquisitions - The Global Information Grid\n     and Challenges Facing Its Implementation,\xe2\x80\x9d July 2004\n\n     GAO Report GAO-03-329, \xe2\x80\x9cDefense Acquisitions - Steps Needed to Ensure\n     Interoperability of Systems that Process Intelligence Data,\xe2\x80\x9d March 2003\n\nInspector General of the Department of Defense (IG DoD)\n     IG DoD Report No. D-2005-033, \xe2\x80\x9cImplementation of the Interoperability and\n     Information Assurance Policies for Acquisition of Navy Systems,\xe2\x80\x9d February 2,\n     2005\n\n     IG DoD Report No. D-2004-008, \xe2\x80\x9cImplementation of Interoperability and\n     Information Assurance Policies for Acquisition of Army Systems,\xe2\x80\x9d October 15,\n     2003\n\n     IG DoD Report No. D-2003-024, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 An\n     Evaluation of Audit Results Reported from August 23, 2001, through July 31,\n     2002,\xe2\x80\x9d November 21, 2002\n\n     IG DoD Report No. D-2003-011, \xe2\x80\x9cImplementation of Interoperability and\n     Information Assurance Policies for Acquisition of DoD Weapon Systems,\xe2\x80\x9d\n     October 17, 2002\n\n     IG DoD Report No. D-2001-176, \xe2\x80\x9cSurvey of Acquisition Manager Experience\n     using the DoD Joint Technical Architecture in the Acquisition Process,\xe2\x80\x9d\n     August 22, 2001\n\n     IG DoD Report No. D-2001-121, \xe2\x80\x9cUse of the DoD Joint Technical Architecture\n     in the Acquisition Process,\xe2\x80\x9d May 14, 2001\n\nDefense Science Board\n     Defense Science Board Task Force, \xe2\x80\x9cProtecting the Homeland, Report of the\n     Defense Science Board Task Force on Defensive Information Operations,\n     2000 Summer Study, Volume II,\xe2\x80\x9d March 2001\n\n\n\n                                       24\n\x0cAppendix C. Glossary\n   Accreditation. Accreditation is the formal declaration by the designated\n   approving authority that an information technology system is approved to operate\n   in a particular security mode using a prescribed set of safeguards at an acceptable\n   level of risk.\n\n   Acquisition Category. An acquisition category is an attribute of an acquisition\n   program that determines the program\xe2\x80\x99s level of review, decision authority, and\n   applicable procedures. The acquisition categories consist of I, major Defense\n   acquisition programs; IA, major automated information systems; II, major\n   systems; III, programs not meeting the criteria for acquisition categories I, IA, or\n   II; and IV, programs designated as such by the Air Force, Navy, and Marine\n   Corps.\n\n   Air Force Enterprise Information Technology Data Repository. The\n   Air Force Enterprise Information Technology Data Repository, formerly called\n   the Systems Compliance Database, is a repository of information on information\n   technology systems and initiatives to support the Clinger-Cohen Act information\n   technology registration, Federal Information Security Management Act\n   compliance, and information technology portfolio management, and will support\n   C4I support planning beginning in November 2005.\n\n   Architecture. An architecture is the structure of components, their relationships,\n   and the principles and guidelines governing their design and evolution over time.\n\n   Capstone Requirements Document. A capstone requirements document\n   contains capabilities-based requirements that facilitate the development of\n   individual capability development documents by providing a common framework\n   and operational concept to guide their development.\n\n   Certification Authority. Certification authority is the official responsible for\n   performing the comprehensive evaluation of the technical and nontechnical\n   security features of an information technology system and other safeguards to\n   determine the extent to which a particular design and implementation meet a set\n   of specified security requirements.\n\n   Command, Control, Communications, Computers, and Intelligence Support\n   Plan. A C4I support plan describes system dependencies and interfaces in\n   sufficient detail to enable program managers and operational testers to test\n   interoperability key performance parameters derived from information exchange\n   requirements.\n\n   Command, Control, Communications, Computers, and Intelligence\n   Surveillance and Reconnaissance Architecture Framework. The C4I\n   surveillance and reconnaissance architecture framework provides rules, guidance,\n   and product descriptions for developing and presenting different architectural\n   views of a given system to ensure a common denominator for understanding,\n   comparing, and integrating architectures across DoD.\n\n\n                                        25\n\x0cDesignated Approving Authority. The designated approving authority is an\nofficial with the authority to formally assume responsibility for operating a\nsystem at an acceptable level of risk. The term designated approving authority is\nsynonymous with designated accrediting authority and delegated accrediting\nauthority.\n\nDevelopmental Test and Evaluation. Developmental test and evaluation is any\nengineering type of test used to verify the status of technical progress, verify that\ndesign risks are minimized, substantiate achievement of contract technical\nperformance, and certify readiness for initial operational testing. Generally, those\ntests are instrumented and measured by engineers, technicians, or soldier\noperator-maintainer test personnel in a controlled environment to facilitate failure\nanalysis.\n\nDoD Information Technology Registry. The DoD Information Technology\nRegistry is the repository for accurate and current information about the DoD\nmission-critical and mission-essential information technology systems. The\nMilitary Department Chief Information Officers plan to add all non-mission-\ncritical and non-mission-essential information technology systems to the Registry\nby September 30, 2006.\n\nDoD Information System. A DoD information system is a set of information\nresources organized for the collection, storage, processing, maintenance, use,\nsharing, dissemination, disposition, display, or transmission of information. The\nDoD information system includes automated information system applications,\nenclaves, outsourced information technology-based processes, and platform\ninformation technology connections.\n\nDoD Information Technology Security Certification and Accreditation\nProcess (DITSCAP). The DITSCAP is the standard DoD process for identifying\ninformation security requirements, providing security solutions, and managing\ninformation system security activities.\n\nGlobal Information Grid. The Global Information Grid provides the foundation\nfor net-centric warfare, information superiority, decision superiority, and\nultimately, full spectrum dominance. The GIG includes any system, equipment\nsoftware, or service that transmits information to, receives information from,\nroutes information among or interchanges information among other equipment,\nsoftware, and services. Non-GIG information technology is stand-alone, self-\ncontained, or embedded information technology that is not and will not be\nconnected to the enterprise network.\n\nGlobal Information Grid Key Interface Profile. A Global Information Grid\nkey interface profile provides a net-centric approach for managing\ninteroperability across the GIG based on the configuration control of key\ninterfaces.\n\nInformation Assurance. Information assurance is measures that protect and\ndefend the information and information systems by ensuring their availability,\nintegrity, confidentiality, authentication, and nonrepudiation. Information\n\n\n\n                                     26\n\x0cassurance provides for the restoration of information systems by incorporating\nprotection, detection, and reaction capabilities.\n\nInformation Exchange Requirements. Information exchange requirements\ncharacterize the information exchanges to be performed by a proposed system and\nidentify who exchanges what information with whom, why the information is\nnecessary, and how the users will employ that information.\n\nInformation Technology. Information technology is the hardware, firmware,\nand software used as part of the information system to perform DoD information\nfunctions. Information technology includes computers, telecommunications,\nautomated information systems, automatic data processing equipment, and any\nassembly of computer hardware, software, and firmware configured to collect,\ncreate, communicate, compute, disseminate, process, store, and control data or\ninformation.\n\nInteroperability. Interoperability is the ability of systems, units, or forces to\nprovide services to or accept services from other systems, units, or forces and to\nuse the services so exchanged to operate effectively together.\n\nInteroperability Certification. Certification as it applies to interoperability is a\nformal statement of adequacy provided by a responsible agency (usually Joint\nStaff) attesting that a system has met its interoperability and supportability\nrequirements.\n\nJoint Mission Area. A joint mission area is a functional group of joint tasks and\nactivities that share a common purpose and facilitate joint force operations.\n\nJoint Operational Architecture. A joint operational architecture describes tasks\nand activities, operational elements, and information flows required to accomplish\nor support military operations; defines types of information exchanged, frequency\nof exchange, which tasks and activities are supported by information exchanges,\nand nature of information exchanges in detail sufficient to ascertain specific\ninteroperability requirements.\n\nJoint Technical Architecture. The Joint Technical Architecture is a common set\nof mandatory information technology standards, which are primarily interface\nstandards and guidelines to be used by all emerging systems and system upgrades,\nincluding advanced concept technology demonstrations. The Joint Technical\nArchitecture can be used to establish a system\xe2\x80\x99s technical architecture, and is\napplicable to all C4I and automated information systems and the interfaces of\nother key assets, such as weapon systems and sensors, with C4I systems.\n\nKey Performance Parameters. Key performance parameters are a critical\nsubset of the performance parameters found in the ORD. Each key performance\nparameter has a threshold and an objective value. Key performance parameters\nrepresent those capabilities or characteristics so significant that failure to meet the\nthreshold value of performance can be cause for the concept or system selected to\nbe reevaluated or the program to be reassessed or terminated.\n\n\n\n\n                                      27\n\x0c        National Security System. A national security system is any telecommunication\n        or information system operated by the U.S. Government, whose function,\n        operation, or use involves intelligence activities, cryptologic activities related to\n        national security, command and control of military forces, equipment that is an\n        integral part of a weapon system, or is critical to the direct fulfillment of military\n        or intelligence missions.\n\n        Network-Centric Warfare. Network-centric warfare25 allows a warfighting\n        force to achieve improved information positions in the form of common\n        operational pictures that provide the basis for shared situational awareness and\n        knowledge, and a resulting increase in combat power.\n\n        Net-Ready Key Performance Parameter (Net-Ready KPP). A net-ready KPP\n        assesses information needs, information timeliness, information assurance, and\n        net-enabled attributes required for information exchange and use. A net-ready\n        KPP consists of measurable and testable characteristics, performance metrics, or\n        both, required for the timely, accurate, and complete exchange and use of\n        information to satisfy information needs for a given capability. The net-ready\n        KPP comprises the following elements: compliance with the net-centric\n        operations and warfare reference model, compliance with applicable GIG key\n        interface profiles, verification of compliance with DoD information assurance\n        requirements, and supporting integrated architecture products required to assess\n        information exchange and use for a given capability. A net-ready KPP is\n        documented in the following requirements documents: a capability development\n        document, a capability production document, and a capstone requirements\n        document.\n\n        Non-Acquisition Category. Non-acquisition category systems are all defense\n        information technology and national security system projects, pre-acquisition\n        demonstration, joint experimentations, joint tests and evaluations, and\n        non-DoD 5000 series information technology and NS system acquisitions and\n        procurements.\n\n        Objective. The objective is the performance value that is desired by the user and\n        which the program manager is attempting to obtain. The objective represents an\n        operationally meaningful, time critical, and cost-effective increment above the\n        performance threshold for each program parameter.\n\n        Operational Architecture View. The operational architecture view is a\n        description of the tasks and activities, operational elements, and information\n        flows required to accomplish or support a military operation.\n\n\n\n\n25\n An in-depth discussion of network-centric warfare is provided in the book, Network Centric Warfare:\n Developing and Leveraging Information Superiority, 2nd Edition (Revised), by David S. Alberts, John J.\n Garstka, and Frederick P. Stein, C4I Surveillance and Reconnaissance Cooperative Research Program,\n August 1999.\n\n\n                                                   28\n\x0cOperational Effectiveness. Operational effectiveness is the overall degree of\nmission accomplishment of a system when representative personnel use the\nsystem in the environment planned or expected for operational employment of the\nsystem, considering organization, doctrine, tactics, survivability, vulnerability,\nand threat.\n\nOperational Requirements Document. The operational requirements document\nstates the user\xe2\x80\x99s objectives and minimum acceptable requirements for the\noperational performance of a proposed concept or system.\n\nOperational Test and Evaluation. Operational test and evaluation is field\ntesting, under realistic conditions, of any item or component of weapons,\nequipment, or munitions to determine their effectiveness and suitability for use in\ncombat by typical military users and the evaluation of the results of such tests.\n\nPenetration Testing. Penetration testing assesses a system\xe2\x80\x99s ability to withstand\nintentional attempts to circumvent system security features by exploiting\ntechnical security vulnerabilities. Penetration testing may include insider and\noutsider penetration attempts based on common vulnerabilities for the technology\nbeing used.\n\nProgram. A program is a weapon system acquisition funded by research,\ndevelopment, test and evaluation or procurement appropriations, or both, with the\nexpress objective of providing a new or improved capability in response to a\nstated mission need or deficiency.\n\nProgram Manager. Program manager refers to the acquisition program manager\nduring the system acquisition, the system manager during the operation of the\nsystem, or the maintenance organization\xe2\x80\x99s program manager when a system is\nundergoing a major change.\n\nSystem. A system is the organization of hardware, software, materiel, facilities,\npersonnel, data, and services needed to perform a designated function with\nspecified results, such as the gathering of specified data, its processing, and\ndelivery to users.\n\nSystem Evaluation Plan. The system evaluation plan documents the integrated\ntest and evaluation strategy, which the testers and evaluators use throughout the\nsystem acquisition life cycle. The system evaluation plan:\n\n       \xe2\x80\xa2   addresses system critical operational issues and criteria, critical\n           technical parameters, and additional evaluation focus areas;\n\n       \xe2\x80\xa2   identifies data needs and sources, and the approach to be used to\n           evaluate the system;\n\n       \xe2\x80\xa2   specifies the analytical plan; and\n\n       \xe2\x80\xa2   identifies program constraints.\n\n\n\n\n                                     29\n\x0cThe system evaluation plan details the evaluator\xe2\x80\x99s planned actions for the\nevaluation of the system and is prepared and updated by the system evaluator.\n\nSystem Security Authorization Agreement. The system security authorization\nagreement is a formal agreement among the designated approving authority, the\ncertification authority, the information technology system user representative, and\nthe program manager. The agreement is used throughout the entire DITSCAP to\nguide actions, document decisions, specify information technology security\nrequirements, document certification tailoring and level-of-effort, identify\npotential solutions, and maintain operational systems security.\n\nSystem Security Authorization Agreement Signatories. The system security\nauthorization agreement signatories include the information technology system\nprogram manager, the designated approving authority, the certification authority,\nand the user representative.\n\nTechnical Architecture View. A technical architecture view is a minimal set of\nrules governing the arrangement, interaction, and interdependence of system parts\nor elements, whose purpose is to ensure that a conformant system satisfies a\nspecified set of requirements.\n\nTest and Evaluation Master Plan (TEMP). The TEMP documents the overall\nstructure and objectives of the test and evaluation program. It provides a\nframework within which to generate detailed test and evaluation plans and it\ndocuments schedule and resource implications associated with the test and\nevaluation program. The TEMP identifies the necessary developmental test and\nevaluation, operational test and evaluation, and live-fire test and evaluation\nactivities. Further, the TEMP relates program schedule, test management strategy\nand structure, and required resources to critical operational issues, critical\ntechnical parameters, objectives and thresholds documented in the operational\nrequirements document, evaluation criteria, and milestone decision points.\n\nThreshold. Threshold is the minimum acceptable value that, in the user\xe2\x80\x99s\njudgment, is necessary to satisfy the need. If threshold values are not achieved,\nprogram performance is seriously degraded, the program may be too costly, or the\nprogram may no longer be timely.\n\nUser Representative. The user representative is the liaison for the user or the\nuser community, particularly during the initial development of a system. The user\nrepresentative is the individual or organization that represents the user community\nin the specification, acquisition and maintenance of information technology\nsystem. The user representative defines the system mission and functionality and\nis responsible for ensuring that the user\xe2\x80\x99s interests are maintained throughout\nsystem development, modification, integration, acquisition, and deployment.\n\nVulnerability. Vulnerability is the characteristics of a system that cause it to\nsuffer a definite loss or reduction of capability to perform its designated mission\nas a result of having been subjected to a certain level of effects in a man-made\nhostile environment.\n\n\n\n\n                                     30\n\x0cAppendix D. Global Information Grid\n           Global Information Grid. The GIG provides the foundation for network-centric\n           warfare, information superiority, decision superiority, and ultimately full\n           spectrum dominance as depicted in the figure below.\n\n\n\n\n           Foundation for Achieving Full Spectrum Dominance26\n\n           The concept of the GIG evolved from concerns about the interoperability and\n           end-to-end integration of automated information systems. Issues such as\n           streamlined management and improved information infrastructure investment also\n           contributed to the heightened interest in a GIG. However, the real demand for a\n           GIG originates from the requirement for information and decision superiority to\n           achieve full spectrum dominance, as expressed in Joint Vision 2020. The ability\n           to achieve shared situational awareness and knowledge among all elements of a\n           joint force, including allied and coalition partners, is increasingly viewed as a\n           cornerstone to transform future warfighting capabilities.\n\n           Network-Centric Warfare. The GIG capstone requirements document states\n           that network-centric warfare allows a warfighting force to achieve improved\n           information positions in the form of common operational pictures that provide the\n           basis for shared situational awareness and knowledge, and a resulting increase in\n           combat power.\n\n           Information Superiority. Information superiority is the capability to collect,\n           process, and disseminate an uninterrupted flow of information while exploiting or\n           denying an adversary\xe2\x80\x99s ability to do the same. Information superiority is\n           achieved in a noncombat situation or one in which there are no clearly defined\n           adversaries when friendly forces have the information necessary to achieve\n           operational objectives. Information superiority provides the joint force with a\n           competitive advantage only when it is effectively translated into superior\n26\n     Figure obtained from the GIG Capstone Requirements Document, August 30, 2001.\n\n\n                                                   31\n\x0cknowledge and decisions. The joint force must be able to take advantage of\nsuperior information converted to superior knowledge to achieve \xe2\x80\x9cdecision\nsuperiority.\xe2\x80\x9d\n\nDecision Superiority. Decision superiority is to arrive at better decisions and\nimplement them faster than an opponent can react, or in a noncombat situation, at\na tempo that allows the force to shape the situation or react to changes and\naccomplish its mission. Decision superiority does not automatically result from\ninformation superiority. Organizational and doctrinal adaptation, relevant\ntraining and experience, and the proper command and control mechanisms and\ntools are equally necessary.\n\nFull Spectrum Dominance. The transformation of the joint force to reach full\nspectrum dominance rests upon information superiority as a key enabler and our\ncapacity for innovation. The label full spectrum dominance implies that U.S.\nForces are able to conduct prompt, sustained, and synchronized operations with\ncombinations of forces tailored to specific situations and with access to and\nfreedom to operate in all domains: space, sea, land, air, and information.\nAdditionally, given the global nature of our interests and obligations, the United\nStates must maintain its overseas presence forces and the ability to rapidly project\npower worldwide in order to achieve full spectrum dominance.\n\n\n\n\n                                     32\n\x0cAppendix E. Results of the Air Force\n            Interoperability and Information\n            Assurance Survey\n                                                                                    Number of\n                                                                                     Program\n                                                                                    Managers\n         Survey Question                            Survey Answers                  Responded\n\n1. What acquisition category is       a. Acquisition Category IAM or                     6\n   your program?                           Acquisition Category IAC\n                                      b. Acquisition Category ID or Acquisition         19\n                                           Category IC\n                                      c. Acquisition Category II                         1\n                                      d. Acquisition Category III                       12\n                                      e. Non-DoD Acquisition Process                     0\n                                      f. Other                                           2\n2. What type of system is your        a. NS system                                       7\n   program? (Some program offices     b. Information technology system (that is          4\n   had multiple responses)                 not an NS system)\n                                      c. Weapon system                                  19\n                                      d. Automated information system                    3\n                                      e. None of the above                              10\n3. What is the last milestone your    a. Pre-acquisition (for example, science           1\n   program completed?                      and technology, concept development,\n                                           demonstration)\n                                      b. Milestone A (or 0)                              3\n                                      c. Milestone B (or II or system                   14\n                                           development and demonstration)\n                                      d. Milestone C (or III or low-rate initial         6\n                                           production)\n                                      e. Beyond Milestone C (or full-rate                7\n                                           production)\n                                      f. Other                                           9\n4. Which joint mission area does      a.   Dominant maneuver                            14\n   your program support? Select       b.   Deployment redeployment                      19\n   the appropriate answer based on    c.   Precision engagement                         20\n   the Chairman of the Joint Chiefs   d.   Strategic deterrence                          8\n   of Staff Memorandum                e.   Overseas presence and force projection       18\n   (CM-1014-00), \xe2\x80\x9cJoint Mission       f.   Special operations                           15\n   Areas to Organize the Joint        g.   Joint command and control                    18\n   Operational Architectures.\xe2\x80\x9d        h.   Information superiority                      18\n                                      i.   Focused logistics                             7\n                                      j.   Full dimensional protection                   6\n                                      k.   Multinational operations/                    12\n                                             interagency coordination\n                                      l.   Other                                         6\n\n\n\n\n                                            33\n\x0c                                                                                Number of\n                                                                                 Program\n                                                                                Managers\n         Survey Question                          Survey Answers                Responded\n\n5. For information technology or      a. Yes                                        30\n   NS systems, the ORD must           b. No                                          8\n   include interoperability           c. Unsure                                      2\n   requirements, thus requiring an\n   interoperability KPP. These\n   systems must also have related\n   elements of IA. In this respect,\n   do you think IA is a\n   subcomponent of\n   interoperability?\n\n6. Should IA requirements be tested   a. Yes                                        35\n   in addition to interoperability    b. No                                          4\n   requirements?                      c. Unsure                                      1\n\n7. Has the Director for Command,      a. Yes                                        14\n   Control, Communications, and       b. No, the ORD has not been through the        6\n   Computers Systems Directorate           process yet.\n   (J-6), Office of the Chairman of   c. No, the ORD went through the process        4\n   the Joint Chiefs of Staff (Joint        but was not certified\n   Staff J-6) certified your          d. In process                                  4\n   program\xe2\x80\x99s ORD for                  e. Unsure                                     12\n   interoperability requirements?\n\n8. Is your program part of the GIG    a. Yes                                        14\n   asset inventory?                   b. No                                         16\n                                      c. Unsure                                     10\n9. How is your program compatible     a. Uses current Defense Information           19\n   with the GIG? Select all that         Switched Network services\n   apply.                             b. Uses approved allocated frequency          26\n                                         plans\n                                      c. Uses approved cryptology                   30\n                                      d. Meets appropriate standards (for           27\n                                         example, Defense Information\n                                         Infrastructure Common Operating\n                                         Environment compliance)\n                                      e. None of the above                           0\n                                      f. Other                                      11\n                                      g. Unsure                                      1\n\n\n\n\n                                           34\n\x0c                                                                                     Number of\n                                                                                      Program\n                                                                                     Managers\n        Survey Question                           Survey Answers                     Responded\n\n10. Which Air Force oversight        a. Program executive officer/milestone              22\n    entity(ies) or command(s)           decision authority\n    assures that your Acquisition    b. Headquarters, Air Force Assistant Chief           2\n    Category IAM, IAC, ID, or IC        of Staff, Systems for Command,\n    operates with other Defense         Control, and Communications\n    agency and Military Department   c. Headquarters, Air Force Deputy Chief              5\n    acquisition programs as             of Staff, Air and Space Operations\n    envisioned by the warfighter.    d. Assistant Secretary of the Air Force             13\n                                        (Acquisition)\n                                     e. Headquarters, Air Force Director of Test          9\n                                        and Evaluation\n                                     f. Assistant Secretary of Defense for                8\n                                        Command, Control, Communications,\n                                        and Intelligence\n                                     g. Major Command and Field Operating                 8\n                                        Agencies\n                                     h. Joint Staff J-6                                   8\n                                     i. Director for Operational Plans and                0\n                                        Interoperability Directorate (J-7), Office\n                                        of the Chairman of the Joint Chiefs of\n                                        Staff\n                                     j. U.S. Joint Forces Command (J-6)                   3\n                                     k. Director, Operational Test and                   13\n                                        Evaluation\n                                     l. Other                                            18\n\n11. Which Air Force oversight        a. Program executive officer/milestone               6\n    entity(ies) or command(s)           decision authority\n    assures that your Acquisition    b. Headquarters, Air Force Assistant Chief           0\n    Category II or below program        of Staff, Systems for Command,\n    operates with other Defense         Control, and Communications\n    agency and Military Department   c. Headquarters, Air Force Deputy Chief              4\n    acquisition programs as             of Staff, Air and Space Operations\n    envisioned by the warfighter.    d. Assistant Secretary of the Air Force              6\n                                        (Acquisition)\n                                     e. Headquarters, Air Force Director of Test          1\n                                        and Evaluation\n                                     f. Major Command and Field Operating                 5\n                                        Agencies\n                                     g. Other                                            18\n\n\n\n\n                                          35\n\x0c                                                                            Number of\n                                                                             Program\n                                                                            Managers\n         Survey Question                           Survey Answers           Responded\n\n12. Of the following documentation    a.   ORD                                  34\n    normally provided to the          b.   Capstone requirements document       10\n    milestone decision authority at   c.   C4I support plan                     21\n    Milestone B, which documents      d.   TEMP                                 15\n    fully describe interoperability   e.   Developmental test results            5\n    requirements and strategies?      f.   Operational test results              5\n    Select all that apply.            g.   System evaluation plan                2\n                                      h.   Event design plan                     0\n                                      i.   Operational architecture view        11\n                                      j.   Systems architecture view            11\n                                      k.   Technical architecture view           7\n                                      l.   Security plans                        9\n                                      m.   Other                                12\n                                      n.   None                                  1\n\n13. Of the following documentation    a.   ORD                                  29\n    normally provided to the          b.   Capstone requirements document        9\n    milestone decision authority at   c.   C4I support plan                     19\n    Milestone C, which documents      d.   TEMP                                 20\n    fully describe interoperability   e.   Developmental test results           10\n    requirements and strategies?      f.   Operational test results             10\n    Select all that apply.            g.   System evaluation plan                4\n                                      h.   Event design plan                     0\n                                      i.   Operational architecture view        14\n                                      j.   Systems architecture view            14\n                                      k.   Technical architecture view          11\n                                      l.   Security plans                       11\n                                      m.   Other                                16\n                                      n.   None                                  1\n\n14. Of the following documentation    a.   ORD                                  23\n    normally provided to the          b.   Capstone requirements document        5\n    milestone decision authority at   c.   C4I support plan                     16\n    Milestone B, which documents      d.   TEMP                                 15\n    fully describe IA requirements    e.   SSAA                                 20\n    and strategies? Select all that   f.   Developmental test results            6\n    apply.                            g.   Operational test results              5\n                                      h.   System evaluation plan                2\n                                      i.   Event design plan                     0\n                                      j.   Operational architecture view         4\n                                      k.   Systems architecture view             5\n                                      l.   Technical architecture view           3\n                                      m.   Security plans                       16\n                                      n.   Other                                 9\n                                      o.   None                                  4\n\n\n\n\n                                            36\n\x0c                                                                               Number of\n                                                                                Program\n                                                                               Managers\n         Survey Question                                Survey Answers         Responded\n\n15. Of the following documentation       a.   ORD                                  25\n    normally provided to the             b.   Capstone requirements document        6\n    milestone decision authority at      c.   C4I support plan                     17\n    Milestone C, which documents         d.   TEMP                                 13\n    fully describe IA requirements       e.   SSAA                                  8\n    and strategies? Select all that      f.   Developmental test results            7\n    apply.                               g.   Operational test results              6\n                                         h.   System evaluation plan                3\n                                         i.   Event design plan                     0\n                                         j.   Operational architecture view         9\n                                         k.   Systems architecture view            10\n                                         l.   Technical architecture view           7\n                                         m.   Security plans                       18\n                                         n.   Other                                10\n                                         o.   None                                  4\n16. The inclusion of IA requirements     a.   I agree                              22\n    in an ORD would benefit from         b.   I disagree                            8\n    the addition of high-level           c.   No opinion                            7\n    information exchange                 d.   I am unsure                           3\n    requirements. (See Chairman of\n    the Joint Chiefs of Staff\n    Instruction 3170.01B,\n    \xe2\x80\x9cRequirements Generation\n    System.\xe2\x80\x9d)\n\n17. The ORD must define                  a.   I agree                              28\n    information exchange                 b.   I disagree                            3\n    requirements for information         c.   No opinion                            4\n    technology and NS system             d.   I am unsure                           5\n    acquisition programs.\n18. IA should be a key performance       a.   I agree                              18\n    parameter in my acquisition          b.   I disagree                           13\n    program that must exchange data      c.   No opinion                            6\n    external to the information          d.   I am unsure                           3\n    technology system, NS system,\n    or weapon system\xe2\x80\x99s host\n    platform.\n\n19. My acquisition program will          a.   Public key infrastructure            10\n    include the following IA security    b.   Firewalls                            23\n    techniques or technologies           c.   Smart cards                           8\n    before production. Select all that   d.   Passwords                            30\n    apply.                               e.   Encryption/decryption                29\n                                         f.   Physical security                    33\n                                         g.   Frequency hopping                     9\n                                         h.   Restoration of capability            20\n                                         i.   None of the above                     1\n                                         j.   Other                                13\n\n\n\n                                               37\n\x0c                                                                                           Number of\n                                                                                            Program\n                                                                                           Managers\n         Survey Question                                 Survey Answers                    Responded\n\n20. My acquisition program will           a.   Public key infrastructure                       12\n    include the following IA security     b.   Firewalls                                       24\n    techniques or technologies after      c.   Smart cards                                     13\n    production. Select all that apply.    d.   Passwords                                       30\n                                          e.   Encryption/decryption                           34\n                                          f.   Physical security                               35\n                                          g.   Frequency hopping                               12\n                                          h.   Restoration of capability                       23\n                                          i.   None of the above                                0\n                                          j.   Other                                            9\n\n21. List all IA products that are         The system program offices identified\n    commercial-off-the-shelf              different commercial-off-the-shelf products.\n    products related and/or               A list of the products identified is available\n    integrated into your acquisition      upon request.\n    program.\n\n22. Are all the products listed in        a. Yes                                                9\n    question 21 certified for IA by       b. No                                                14\n    the National Security Agency?         c. Unsure                                            13\n\n23. Do you plan to have all products      a. Yes                                               13\n    listed in question 21 certified for   b. No                                                19\n    IA by the National Security\n    Agency? Answer if question 22\n    was No. (Some program offices\n    answered even if they had\n    answered Yes to Question 22)\n24. Do fluctuations in funding and        a. Yes                                               25\n    prioritization impact system          b. No                                                13\n    development as it relates to\n    interoperability requirements?\n\n25. Is your program in compliance         a. Yes                                               32\n    with the Clinger-Cohen Act?           b. No                                                 7\n\n26. Do you believe the GIG                a. Yes                                               21\n    currently addresses all IA            b. No                                                13\n    requirements?\n\n27. Does the system program office        a. Yes                                               23\n    have an interoperability              b. No                                                17\n    specialist assigned to the\n    program?\n28. Does the system program office        a. Yes                                               27\n    have an IA specialist assigned to     b. No                                                13\n    the program?\n\n\n\n                                                38\n\x0c                                                                                         Number of\n                                                                                          Program\n                                                                                         Managers\n         Survey Question                             Survey Answers                      Responded\n\n29. Has a risk assessment been         a. Yes                                                25\n    conducted on meeting the           b. No                                                 15\n    program\xe2\x80\x99s interoperability\n    requirement?\n\n30. Has a risk assessment been         a. Yes                                                23\n    conducted on meeting the           b. No                                                 17\n    program\xe2\x80\x99s IA requirements?\n\n31. Who is completing the              The system program offices identified\n    DITSCAP testing (for all           different points of contact that are\n    appropriate phases) for your       completing the DITSCAP testing. A list of\n    program? Provide name of point     the points of contact identified is available\n    of contact, organization, title,   upon request.\n    telephone number, and email.\n\n32. For the program\xe2\x80\x99s System Threat    The system program offices identified\n    Analysis Report (STAR), who        different entities that determined the IA\n    determined the threat,             threat and validated that threat. A list of the\n    specifically the IA threat, and    entities identified is available upon request.\n    who validated that threat?\n\n\n\n\n                                            39\n\x0cAppendix F. Air Force Programs Surveyed\n1.   Advanced Extremely High Frequency           20. Global Positioning System\n2.   Advanced Remote Ground Unattended           21. Global Transportation Network-21\n      Sensor\n                                                 22. Information Warfare Planning\n3.   Air Force Mission Support System                  Capability\n4.   B-1B Conventional Mission Upgrade           23. Integrated Maintenance Data System\n      Program\n                                                 24. Joint Air-to-Surface Standoff Missile\n5.   C-5 Avionics Modernization Program\n                                                 25. Joint Direct Attack Munition (500,\n6.   C-17 A/C-17A Upgrades                             1,000, and 2,000 pounds)\n7.   C-130 Avionics Modernization                26. Joint Precision Approach and\n      Program                                          Landing System\n8.   C-130J All Variants                         27. Joint Primary Aircraft Training\n                                                       System\n9.   Combat Survivor Evader Locator\n                                                 28. Joint Strike Fighter\n10. Defense Meteorological Satellite\n     Program                                     29. Joint Surveillance Target Attack\n                                                       Radar System\n11. Deliberate and Crisis Action Planning\n     and Execution Segments                      30. MILSTAR Satellite Communication\n                                                      System\n12. Air Force-Distributed Common\n     Ground System                               31. Mobile Approach Control System\n13. E-3A Airborne Warning and Control            32. Multi-Platform - Common Data Link\n     System\n                                                 33. National Airspace System\n14. F-22 Raptor (Engineering and\n     Manufacturing Development and               34. National Polar-Orbiting Operational\n     Squadrons)                                       Environment Satellite System\n\n15. Global Broadcast Service                     35. P-5 Combat Training System\n\n16. Global Combat Support System -               36. Predator Medium Altitude Endurance\n     Air Force                                        Unmanned Aerial Vehicle\n\n17. Aerospace Operations Center                  37. Space-Based Infrared System-High\n\n18. Theater Battle Management Core               38. Theater Deployable Communications\n     System                                      39. Time Critical Targeting Functionality\n19. Global Hawk Unmanned Aerial                  40. Wideband Gapfiller Satellite\n     Vehicle\n\n\n\n\n                                            40\n\x0cAppendix G. Audit Response to Air Force\n            Comments on the Report\n   Our detailed response to the comments from the Air Force Chief Information\n   Officer on statements in the draft report follow. The complete text of those\n   comments is in the Management Comments section of this report. The Air Force\n   Chief Information Officer commented on the inclusion of the Clinger-Cohen Act;\n   the applicability of information support plans; Air Force Instruction 33-202\n   \xe2\x80\x9cNetwork and Computer Security\xe2\x80\x9d June 17, 2004, or Air Force\n   Pamphlet 63-1701, \xe2\x80\x9cProgram Protection Planning\xe2\x80\x9d March 27, 2003; Air Force\n   Instruction 63-101, \xe2\x80\x9cOperation of the Capabilities Based Acquisition System,\xe2\x80\x9d\n   April 2004; Air Force Asset Inventory; and Air Education and Training\n   Command.\n\n   Clinger-Cohen Act. The Air Force Chief Information Officer stated that the\n   paragraphs on \xe2\x80\x9cInteroperability, Requirements and Certification Policy\xe2\x80\x9d and\n   \xe2\x80\x9cDoD Policy\xe2\x80\x9d in finding A discuss DoD policy related to interoperability\n   requirements and certification, but do not address the interoperability\n   requirements that are discussed in Enclosure 4 of DoD Instruction 5000.2,\n   \xe2\x80\x9cOperation of the Defense Acquisition System.\xe2\x80\x9d In Enclosure 4, program\n   managers are provided statutory and regulatory requirements for interoperability\n   as part of Clinger-Cohen Act compliance certification for mission-critical and\n   mission-essential systems. It states that, at a minimum, the DoD Component\n   Chief Information Officer\xe2\x80\x99s confirmation or certification will include a written\n   description of the three materiel questions of section 3.6.4 and requirements\n   related to the Clinger-Cohen Act of 1996. The three materiel questions are:\n\n          \xe2\x80\xa2   Do the acquisition support core/priority mission functions need to be\n              performed by the Federal Government?\n\n          \xe2\x80\xa2   Does the acquisition need to be undertaken by the DoD Component\n              because no alternative private sector or governmental source can better\n              support the function?\n\n          \xe2\x80\xa2   Do the acquisition support work processes that have been simplified or\n              otherwise redesigned reduce costs, improve effectiveness, and make\n              maximum use of commercial off-the-shelf technology?\n\n   The Air Force Chief Information Officer stated that a recommendation for\n   updating DoD Instruction 5000.2 should be added to the report so that it requires\n   all information-technology-related systems, including automated information\n   systems connecting to the Global Information Grid, to meet the interoperability\n   requirements in DoD Directive 4630.5, \xe2\x80\x9cInteroperability and Supportability of\n   Information Technology (IT) and National Security Systems (NSS),\xe2\x80\x9d May 5,\n   2004. Further, the Air Force Chief Information Officer stated that, if a system\n   does not fall into the mission-critical or mission-essential system definition or if\n   the system is an automated information system, program managers likely\n   disregard the need for Clinger-Cohen Act compliance.\n\n\n\n                                        41\n\x0c        Audit Response. DoD Directive 5000.1, \xe2\x80\x9cThe Defense Acquisition System,\xe2\x80\x9d\n        May 12, 2003, does state that DoD policy for the information technology aspects\n        of interoperability and supportability appears in DoD Directive 4630.5.\n\n        Information Support Plan. The Air Force Chief Information Officer\n        commented on the \xe2\x80\x9cC4I Support Plans, C4I Support Plan Policy\xe2\x80\x9d and \xe2\x80\x9cDoD\n        Instruction\xe2\x80\x9d paragraphs in finding A. He stated that it appears that the DoD 5000\n        series, and its direction on C4I support plans or information support plans, was\n        not part of the audit. The Air Force Chief Information Officer suggested a\n        recommendation be included in the report that DoD Instruction 5000.2 be updated\n        to require a C4I support plan or information support plan for all information\n        technology systems, including automated information systems connected to the\n        Global Information Grid, rather than for only mission-critical and\n        mission-essential systems.\n\n        Audit Response. The Defense Acquisition Guidebook, December 2004,\n        identifies Chairman of the Joint Chiefs of Staff Instruction 6212.01C\n        \xe2\x80\x9cInteroperability and Supportability of Information Technology and National\n        Security Systems,\xe2\x80\x9d November 20, 2003, as mandatory requirements for all\n        acquisition programs, including information technology and NS systems.\n        Chairman of the Joint Chiefs of Staff Instruction 6212.01C applies to all\n        information technology and NS systems or services acquired, procured, or\n        operated by any DoD Component. The information support plan requirement in\n        Chairman of the Joint Chiefs of Staff Instruction 6212.01C applies to all\n        acquisition category, non-acquisition category,27 and fielded programs regardless\n        of approval authority, designation, increment, or block. The Instruction\n        specifically states that the program authority for those programs will prepare an\n        information support plan to document the information technology and NS systems\n        needs, objectives, and interface requirements.\n\n        Air Force Instruction and Pamphlet. The Air Force Chief Information Officer\n        stated that the \xe2\x80\x9cAir Force Memorandum\xe2\x80\x9d paragraph in finding A discusses only\n        an Assistant Secretary of the Air Force (Acquisition) memorandum on C4I\n        support plans. He stated that the paragraph did not address direction contained in\n        Air Force Instruction 33-202 or Air Force Pamphlet 63-1701. The Air Force\n        Chief Information Officer recommended that those documents be reviewed to\n        determine whether the audit results should be updated to include salient\n        information from those documents in finding A.\n\n        Audit Response. We reviewed Air Force Instruction 33-202 and determined that\n        it does not contain additional requirements for the C4I support plan or the\n        information support plan beyond the requirements of DoD Instruction 4630.8,\n        which we cited in finding A. Requirements of the Instruction apply to finding B\n        and are cited on pages 14 and 16 of the report. Air Force Pamphlet 63-1701\n        addresses C4I certification and accreditation but does not address preparing a C4I\n        support plan or information support plan.\n\n27\n  Chairman of the Joint Chiefs of Staff Instruction 6212.01C defines a non-acquisition category as all\n defense information technology and national security system projects, pre-acquisition demonstration,\n joint experimentations, joint tests and evaluations, and non-DoD 5000 series information technology and\n NS system acquisitions and procurements.\n\n\n                                                  42\n\x0cAir Force Instruction 63-101. The Air Force Chief Information Officer stated\nthat although Air Force Pamphlet 63-1701 makes information technology system\ncertification and accreditation a part of the program managers\xe2\x80\x99 program\nprotection planning responsibilities, Air Force Instruction 63-101 does not\ninclude those information technology security and certification requirements. The\nAir Force Chief Information Officer suggested an additional recommendation be\nincluded in finding A to update Air Force Instruction 63-101 to include the\nrequirements for interoperability and information support plans for all information\ntechnology systems, including automated information systems connected to the\nGlobal Information Grid.\n\nAudit Response. Air Force Instruction 63-101 is interim Air Force guidance that\nprogram managers should use in conjunction with Air Force Instruction 10-601,\n\xe2\x80\x9cCapabilities Based Requirements Development,\xe2\x80\x9d July 30, 2004. Air Force\nInstruction 10-601 implements the requirements of Chairman of the Joint Chiefs\nof Staff Instruction 6212.01C. Air Force Instruction 10-601 states that program\nauthorities should use information support plans to document the information\ntechnology and NS system needs; objectives; and interface requirements for all\nacquisition category, non-acquisition category, and fielded programs.\n\nAir Force Asset Inventory. The Air Force Chief Information Officer stated that\nthe Air Force uses the Air Force Enterprise Information Technology Data\nRepository (formerly called the Systems Compliance Database) as its asset\ninventory. The Air Force Enterprise Information Technology Data Repository\nfeeds into the DoD Information Technology Registry. Further, he stated that\npending additional guidance, the Air Force will continue to populate the DoD\nInformation Technology Registry.\n\nAudit Response. Because DoD has not defined the content of the Global\nInformation Grid asset inventory, the Air Force is not able to populate and\nmaintain a Global Information Grid asset inventory for Air Force systems, as\nstated in the report. Although the Enterprise Information Technology Data\nRepository feeds into the DoD Information Technology Registry, the Principal\nDirector to the Deputy DoD Chief Information Officer stated that the DoD\nInformation Technology Registry is not adequate to use as the GIG asset\ninventory. However, the Principal Director stated that DoD may develop the\nDoD Information Technology Registry into the GIG asset inventory. We updated\nthe report to reflect the Air Force asset inventory efforts.\n\nAir Education and Training Command. The Air Force Chief Information\nOfficer recommended changing \xe2\x80\x9cAir Force Training and Doctrine Command\xe2\x80\x9d to\n\xe2\x80\x9cAir Education and Training Command.\xe2\x80\x9d\n\nAudit Response. Neither command was mentioned in the report.\n\n\n\n\n                                    43\n\x0cAppendix H. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense for Networks and Information Integration/DoD Chief\n   Information Officer\nDirector, Program Analysis and Evaluation\nDirector, Operational Test and Evaluation\n\nJoint Staff\nDirector, Joint Staff\n   Director for Command, Control, Communications, and Computers Systems\n      Directorate (J-6)\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nCommander, Air Force Air Combat Command\n   Commander, Air Intelligence Agency\n      Commander, Air Force Information Warfare Center\nCommander, Air Force Air Mobility Command\nCommander, Air Force Space Command\nAssistant Secretary of the Air Force (Acquisition)\n   Deputy Assistant Secretary of the Air Force (Management Policy and Program\n      Integration)\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAir Force Deputy Chief of Staff for Air and Space Operations\n   Director, Operational Capabilities Requirements Directorate\nAir Force Deputy Chief of Staff for Warfighting Integration\n   Director, Command, Control, Communications, and Computers, Intelligence,\n      Surveillance, and Reconnaissance Infostructure Directorate\nAuditor General, Department of the Air Force\nAir Force Chief Information Officer\nCommander, Air Force Operational Test and Evaluation Center\nDirector, Air Force Test and Evaluation Directorate\nCommander, Air Force Communications Agency\n\n\n\n\n                                          44\n\x0cCombatant Command\nInspector General, U.S. Joint Forces Command\n\nOther Defense Organizations\nDirector, Defense Information Systems Agency\n   Commander, Joint Interoperability Test Command\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n  and the Census, Committee on Government Reform\n\n\n\n\n                                        45\n\x0c\x0cJoint Staff Comments\n\n\n\n\n    Reply ZLP Code:                                                 W S M 0024-05\n    203 18-0300                                                     0 8 January 2005\n\n\n    MEMORANDUM FOR THE MSPECMR GENERAL, DEPARTMENT OF\n                           DEFENSE\n\n\n\n\n    1. Thank you For the opportunity to review the subject report.\' The Joint S t d l\n    concurs in the draft report recommendations -d will support them through\n    participation as a principal member on the Interoperability T e s t Panel.\n\n    2. The Joint S t a a point of c o n t a c t is Commander Charles Marre 11, USN;\n    J-6k 703-697-4232.\n\n\n                                            **-\n                                            NORTON A SCHWARTZ\n                                            Lieutenant General. USAF\n                                            Director, Joint St&\n\x0cDepartment of the Air Force Comments\n\n\n\n                                    DEPARTMENT OF THE AIR FORCE\n                                      OFFICE OF WE UMER S E E T U P I\n                                                WASHINQTOW DC\n\n\n\n   CHIEF INFORMATIONOFUCER\n                                                                                    JAN 0 s 10I6\n\n         MEMORANDUM FORDEPUTY N S P W O R G E h W FOR AUDlllNG\n                    OFFICE OFTHE INSPECTOR GENERAL DEPARlMEW OP DEFENSE\n\n\n\n\n               We have m i m e d the maA         md concur with ibl rsommcodation for thc (bid\n         loformaoOsOmcer UI ". .impolicy to rtquimpmpnm m m g n Co pnparc informhon\n         w n plans d oobuin rupportpbillty c s r i h I i o n Lxfmpmgram dsision mi- and before\n         fieldhthc s-..    .."This i s m will ba addrrssed in Air Force Poliev h i v e 33.2.\n\n\n                 we     CO~SU   ~ the m m d a t l o n thu thc m e f m m u i o n omcer".. verify\n                              aith\n         thst Air Fmes system p\n                              m m a& p p m d system x o d y a!~tbonratioo,-~\n         (SSAAsl Mae milatrme detision mints..." This iafmmatimn eollcctcd m the An F m c\n         &mp&       I d d o n ~ c o l m o l o w ~ a Repository\n                                                    ta         (errr,R) Pllltha, A P - C I O p m m d ~YNI\n         vaiQthc c x i m of SSAA ss part of the Mlmation Ammace Smtegynviwpm-.\n\x0c___________________________________________________________________\n\n\n\n                                                                      Final Report\n                                                                       Reference\n\n\n\n\n                                                                      Page 4\n\n\n\n\n                                                                      Page 5\n\n\n\n                                                                      Page 6\n\n\n\n\n                             49\n\x0c               ___________________________________________________________________\n\n\n\nFinal Report\n Reference\n\n\n\n\nPage 8\n\n\n\n\nPage 17\n\n\n\n\nNot\nAddressed\n\n\n\n\n                                            50\n\x0cTeam Members\nThe Office of the Deputy Inspector General for Auditing of the Department of\nDefense, Acquisition and Technology Management prepared this report.\nPersonnel of the Office of the Inspector General of the Department of Defense\nwho contributed to the report are listed below.\n\nJohn E. Meling\nJack D. Snider\nSuellen R. Brittingham\nAlice F. Carey\nNeal J. Gause\nKevin W. Klein\nTracey E. Dismukes\nPatricia A. Joyner\nLidet K. Negash\nTomasa Pack\nTodd L. Kowalski\nChristopher M. Scrabis\nZachary M. Williams\nDeborah J. Thomas\nJoyce Tseng\nJulie B. Vaillancourt\nPeter C. Johnson\nAnh H. Tran\nLieutenant Colonel Shurman L. Vines, USA\nErnest G. Fine\nCindy L. Gladden\nJacqueline N. Pugh\n\x0c'